AZ-500 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-500 Exam - Question 50

HOTSPOT -

You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table.

You create and enforce an Azure AD Identity Protection user risk policy that has the following settings:

✑ Assignment: Include Group1, Exclude Group2

✑ Conditions: Sign-in risk of Medium and above

✑ Access: Allow access, Require password change

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

Show Answer
Correct Answer:

Box 1: Yes -

User1 is member of Group1. Sign in from unfamiliar location is risk level Medium.

Box 2: Yes -

User2 is member of Group1. Sign in from anonymous IP address is risk level Medium.

Box 3: No -

Sign-ins from IP addresses with suspicious activity is low.

Note:

Azure AD Identity protection can detect six types of suspicious sign-in activities:

✑ Users with leaked credentials

✑ Sign-ins from anonymous IP addresses

✑ Impossible travel to atypical locations

✑ Sign-ins from infected devices

✑ Sign-ins from IP addresses with suspicious activity

✑ Sign-ins from unfamiliar locations

These six types of events are categorized in to 3 levels of risks ג€" High, Medium & Low:

References:

http://www.rebeladmin.com/2018/09/step-step-guide-configure-risk-based-azure-conditional-access-policies/

Discussion

17 comments
Sign in to comment
Geeky93
Mar 13, 2021

Wrong answer. Should be : YES, NO, NO "When organizations both include and exclude a user or group the user or group is excluded from the policy, as an exclude action overrides an include in policy. " Source : https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-users-groups

Patchfox
Dec 25, 2021

Correct answer

vtoroynah
Jan 15, 2022

"##Sign-ins from infected devices This risk event type identifies sign-ins from devices infected with malware, that are known to actively communicate with a bot server. This is determined by correlating IP addresses of the user’s device against IP addresses that were in contact with a bot server. This risk event identifies IP addresses, not user devices. If several devices are behind a single IP address, and only some are controlled by a bot network, sign-ins from other devices my trigger this event unnecessarily, which is the reason for classifying this risk event as “Low”." https://github.com/toddkitta/azure-content/blob/master/articles/active-directory/active-directory-identityprotection-risk-events-types.md

kitus
Jun 12, 2024

shouldn't it be YES, NO, YES? the third use case is Medium sign-in risk because the authentication comes from an infected device

rctm_bm
Mar 16, 2021

Agree with Geeky93, but not sure with 3rd answer. Given question with malware refers to infected device wich is Medium Risk Level, so the answer should be YES. YES,NO,YES

JCWF
Mar 21, 2021

Device containing malware refers to infected device which is Low Risk Level,

cannibalcorpse
Apr 7, 2021

Exactly,any event not related to credentials leakage, we may say as Low Risk Level.

rctm_bm
Jul 7, 2021

No. The only Low Risk Level is Sign-ins from IP addresses with suspicious activity. Everything else is medium\high

cfsxtuv33
Dec 24, 2021

Infected Devices: Medium Risk

rgullini
Apr 18, 2021

totally agree with rctm_bm

Vikku30
Dec 22, 2021

Yes it should : Yes, No & Yes as in option 3 the device is compromised/infected so access from infected device is medium level severity and as per question any sign in above medium risk level, password should be changed

udmraj
Feb 22, 2022

It should be Yes, No, Yes Number 3 is a Malware infected System, which is Infected system

ABIYGK
Nov 23, 2023

Explanation: Box 1: Yes - User1 is member of Group1. Sign in from unfamiliar location is risk level Medium. Box 2. No - "When organizations both include and exclude a user or group the user or group is excluded from the policy, as an exclude action overrides an include in policy. " Box 3: Yes - Sign-ins from infected device is Medium.

xRiot007
Jul 15, 2024

Sign-ins from infected device is LOW https://github.com/toddkitta/azure-content/blob/master/articles/active-directory/active-directory-identityprotection-risk-events-types.md

fireb
Sep 17, 2023

Based on changes on Azure over the years, the answer should be: Yes, Yes, Yes.

xRiot007
Jul 15, 2024

No. Anon IP login should require at most MFA, not a password change.

bhattroh
Mar 13, 2023

Yes, No, Yes... Second one has MFA enabled and also in Group 2 which is excluded from protection policy

sommyo
Jul 26, 2023

Y-Y-Y Unfamiliar location - medium risk Anonymous IP - medium risk Infected device - medium risk

AzureAdventure
Aug 3, 2023

Agree User 2 is in the Group 1 as well, therefore medium risk automatically

P4ndem1c
Jul 30, 2023

A: Yes,No,Yes Last one is wrong as device is infected with malware thus classed as Medium

heatfan900
Aug 23, 2023

Y, N, N. USER 1 belongs to GROUP 1 and meet the Medium or Higher Conditions USER 2 belong to GROUP 1 and 2. Since Group 2 is excluded, the user will then be excluded even though he belongs to GROUP 1. When a user is in two different groups and one is excluded, they are excluded, even if the other group they belong to is included in the RISK POLICY. USER 3 is signing in from an infected device. This risk event identifies IP addresses, not user devices. If several devices are behind a single IP address, and only some are controlled by a bot network, sign-ins from other devices my trigger this event unnecessarily, which is the reason for classifying this risk event as “Low”.

Jkayx94
Feb 29, 2024

Yes, No Yes. B - Exclusion takes precedence of Inclusion C - Device is Infected with Malware, regardless if it's communicating with a botnet, it's detected as Malware = Medium Risk = Included in CAP.

Andre369
May 18, 2023

1. If User1 signs in from an unfamiliar location, he must change his password. • Yes. User1 is a member of Group1, which is included in the policy's assignment. If User1 signs in from an unfamiliar location, it meets the condition of a Medium or above sign-in risk. According to the policy's access settings, User1 must change his password. 2. If User2 signs in from an anonymous IP address, she must change her password. • No. User2 is a member of Group1 and Group2, but Group2 is excluded from the policy's assignment. Therefore, the policy does not apply to User2. Even if User2 signs in from an anonymous IP address, it won't trigger the password change requirement. 3. If User3 signs in from a computer containing malware that is communicating with known bot servers, he must change his password. • No. Although User3 is a member of Group1 and meets the sign-in risk condition, the policy's access settings do not require a password change. The policy allows access without mandating a password change. Based on the evaluation, the correct answers are: 1. Yes 2. No 3. No

massnonn
Jun 13, 2023

For me is Y-N-Y

massnonn
Jun 19, 2023

Error it's Y-N-N the user3 is gruop1 memeber but: ##Sign-ins from infected devices This risk event type identifies sign-ins from devices infected with malware, that are known to actively communicate with a bot server. This is determined by correlating IP addresses of the user’s device against IP addresses that were in contact with a bot server. This risk event identifies IP addresses, not user devices. If several devices are behind a single IP address, and only some are controlled by a bot network, sign-ins from other devices my trigger this event unnecessarily, which is the reason for classifying this risk event as “Low”.

ESAJRR
Jul 10, 2023

YES, NO, NO

ArchitectX
Sep 15, 2023

It should be Yes No No

JunetGoyal
Oct 11, 2023

Yes NoYes

GaryKing123
Oct 12, 2023

So having MFA enabled, disabled or even required doesn't impact the answer here I believe. In Entra under CA, now when you Grant access you can either have "require MFA" or "require authentication strength" or "require password change" among various options

MeisAdriano
Oct 15, 2023

NO: unfamiliar location i think is similar to IP suspected, so low level not medium level risk. NO: "anonymous" IP address is the same of "unfamiliar location", similar to suspicious IP address, so the risk is low YES: because infected device is medium risk (not IP suspected that is low rish). The question says on medium and above sign-in risk you have to require password change.

wardy1983
Nov 14, 2023

Explanation: Box 1: Yes - User1 is member of Group1. Sign in from unfamiliar location is risk level Medium. Box 2 no "When organizations both include and exclude a user or group the user or group is excluded from the policy, as an exclude action overrides an include in policy. " Box 3: No - Sign-ins from IP addresses with suspicious activity is low.

jimmyjose
Nov 23, 2023

The answer to Box 3 is 'YES' because it talks about a computer containing malware communicating with bots. There is a difference between malware (MEDIUM) and suspicious activity (LOW).