AZ-500 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-500 Exam - Question 49

DRAG DROP -

You are implementing conditional access policies.

You must evaluate the existing Azure Active Directory (Azure AD) risk events and risk levels to configure and implement the policies.

You need to identify the risk level of the following risk events:

✑ Users with leaked credentials

✑ Impossible travel to atypical locations

✑ Sign-ins from IP addresses with suspicious activity

Which level should you identify for each risk event? To answer, drag the appropriate levels to the correct risk events. Each level may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Select and Place:

Show Answer
Correct Answer:

Azure AD Identity protection can detect six types of suspicious sign-in activities:

✑ Users with leaked credentials

✑ Sign-ins from anonymous IP addresses

✑ Impossible travel to atypical locations

Sign-ins from infected devices -

✑ Sign-ins from IP addresses with suspicious activity

✑ Sign-ins from unfamiliar locations

These six types of events are categorized in to 3 levels of risks ג€" High, Medium & Low:

References:

http://www.rebeladmin.com/2018/09/step-step-guide-configure-risk-based-azure-conditional-access-policies/

Discussion

8 comments
Sign in to comment
majstor86
Mar 2, 2023

Medium High Medium The question is not valid anymore

Malikusmanrasheed
May 30, 2023

rebeladmin guide attached is outdated. The newer guide doesn't have any indication of the severity of each risk

ahorva
May 20, 2022

This question is no longer valid. The referenced article in the explanation also mentions the same thing : "Some time ago I wrote this article about sign-in risk-based conditional access policies. But things have been changed over time and I thought it is time to update it with new content. The updated post can access using https://www.rebeladmin.com/2020/11/step-by-step-guide-how-to-configure-sign-in-risk-based-azure-conditional-access-policies/ "

PowerBIAddict
May 21, 2022

Agreed. Trying to confirm the impossible travel in Microsoft docs it is clear that Azure has changed since this question was originally included. Amusingly the official practice exam has a very similar question.

phi3nix
May 19, 2022

Sign-ins from IP addresses with suspicious activity is Medium now. https://github.com/toddkitta/azure-content/blob/master/articles/active-directory/active-directory-identityprotection-risk-events-types.md#sign-ins-from-ip-addresses-with-suspicious-activity

awfnewf1q243
Oct 26, 2022

Note: It is very unlikely the Microsoft will require the memorization of specific risk levels given that they have changed the documentation. Previously the risk levels were very well defined, however they now provide this very vague paragraph: "Microsoft doesn't provide specific details about how risk is calculated. Each level of risk brings higher confidence that the user or sign-in is compromised. For example, something like one instance of unfamiliar sign-in properties for a user might not be as threatening as leaked credentials for another user." Modern Documentation: https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection#investigate-risk Legacy Documentation: https://web.archive.org/web/20190419234045/https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risk-events

FonKeel
Jan 6, 2023

I doubt such question would appear in exams as the Risk level differ based on organization's risk definitions, Microsoft can only recommend but can't bind such levels.

the_flow88
Jul 28, 2022

question no longer valid - you can now assign your own "score" to any item based on your companies needs. Which makes more sense anyway...

Andre369
May 18, 2023

Users with leaked credentials - Low Impossible travel to atypical location - High Sign-ins from IP addresses with suspicious activity - Medium The rationale behind these choices is as follows: Users with leaked credentials are typically considered to have a lower risk level because it indicates a potential compromise of user credentials but may not necessarily imply immediate unauthorized access to sensitive resources. Impossible travel to atypical location suggests a high risk level because it indicates a significant deviation from the user's typical travel patterns, which can be indicative of account compromise or misuse. Sign-ins from IP addresses with suspicious activity indicate a medium risk level because it suggests potential suspicious behavior but may require further investigation to determine the severity and intent of the activity.

IvanIco
Sep 20, 2023

what are u high on bro, it must be some good sh**, i don't know how can someone say the leaked credentials is low risk... but it is high just like you are high on some good stuff

xRiot007
Jul 15, 2024

"Users with leaked credentials - Low" - Really ? I suggest using Chat GPT less.

trashbox
Oct 9, 2023

Impossible travel: Medium Leaked credentials: High IP addresses with suspicious activity: Medium