Exam AZ-500 All QuestionsBrowse all questions from this exam
Go to Exam
Question 49

DRAG DROP -

You are implementing conditional access policies.

You must evaluate the existing Azure Active Directory (Azure AD) risk events and risk levels to configure and implement the policies.

You need to identify the risk level of the following risk events:

✑ Users with leaked credentials

✑ Impossible travel to atypical locations

✑ Sign-ins from IP addresses with suspicious activity

Which level should you identify for each risk event? To answer, drag the appropriate levels to the correct risk events. Each level may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Select and Place:

    Correct Answer:

    Azure AD Identity protection can detect six types of suspicious sign-in activities:

    ✑ Users with leaked credentials

    ✑ Sign-ins from anonymous IP addresses

    ✑ Impossible travel to atypical locations

    Sign-ins from infected devices -

    ✑ Sign-ins from IP addresses with suspicious activity

    ✑ Sign-ins from unfamiliar locations

    These six types of events are categorized in to 3 levels of risks ג€" High, Medium & Low:

    References:

    http://www.rebeladmin.com/2018/09/step-step-guide-configure-risk-based-azure-conditional-access-policies/

Discussion
majstor86

Medium High Medium The question is not valid anymore

Malikusmanrasheed

rebeladmin guide attached is outdated. The newer guide doesn't have any indication of the severity of each risk

ahorva

This question is no longer valid. The referenced article in the explanation also mentions the same thing : "Some time ago I wrote this article about sign-in risk-based conditional access policies. But things have been changed over time and I thought it is time to update it with new content. The updated post can access using https://www.rebeladmin.com/2020/11/step-by-step-guide-how-to-configure-sign-in-risk-based-azure-conditional-access-policies/ "

PowerBIAddict

Agreed. Trying to confirm the impossible travel in Microsoft docs it is clear that Azure has changed since this question was originally included. Amusingly the official practice exam has a very similar question.

awfnewf1q243

Note: It is very unlikely the Microsoft will require the memorization of specific risk levels given that they have changed the documentation. Previously the risk levels were very well defined, however they now provide this very vague paragraph: "Microsoft doesn't provide specific details about how risk is calculated. Each level of risk brings higher confidence that the user or sign-in is compromised. For example, something like one instance of unfamiliar sign-in properties for a user might not be as threatening as leaked credentials for another user." Modern Documentation: https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection#investigate-risk Legacy Documentation: https://web.archive.org/web/20190419234045/https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risk-events

phi3nix

Sign-ins from IP addresses with suspicious activity is Medium now. https://github.com/toddkitta/azure-content/blob/master/articles/active-directory/active-directory-identityprotection-risk-events-types.md#sign-ins-from-ip-addresses-with-suspicious-activity

FonKeel

I doubt such question would appear in exams as the Risk level differ based on organization's risk definitions, Microsoft can only recommend but can't bind such levels.

the_flow88

question no longer valid - you can now assign your own "score" to any item based on your companies needs. Which makes more sense anyway...

trashbox

Impossible travel: Medium Leaked credentials: High IP addresses with suspicious activity: Medium

Andre369

Users with leaked credentials - Low Impossible travel to atypical location - High Sign-ins from IP addresses with suspicious activity - Medium The rationale behind these choices is as follows: Users with leaked credentials are typically considered to have a lower risk level because it indicates a potential compromise of user credentials but may not necessarily imply immediate unauthorized access to sensitive resources. Impossible travel to atypical location suggests a high risk level because it indicates a significant deviation from the user's typical travel patterns, which can be indicative of account compromise or misuse. Sign-ins from IP addresses with suspicious activity indicate a medium risk level because it suggests potential suspicious behavior but may require further investigation to determine the severity and intent of the activity.

IvanIco

what are u high on bro, it must be some good sh**, i don't know how can someone say the leaked credentials is low risk... but it is high just like you are high on some good stuff

xRiot007

"Users with leaked credentials - Low" - Really ? I suggest using Chat GPT less.