Exam AZ-500 All QuestionsBrowse all questions from this exam
Go to Exam
Question 50

HOTSPOT -

You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table.

You create and enforce an Azure AD Identity Protection user risk policy that has the following settings:

✑ Assignment: Include Group1, Exclude Group2

✑ Conditions: Sign-in risk of Medium and above

✑ Access: Allow access, Require password change

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

    Correct Answer:

    Box 1: Yes -

    User1 is member of Group1. Sign in from unfamiliar location is risk level Medium.

    Box 2: Yes -

    User2 is member of Group1. Sign in from anonymous IP address is risk level Medium.

    Box 3: No -

    Sign-ins from IP addresses with suspicious activity is low.

    Note:

    Azure AD Identity protection can detect six types of suspicious sign-in activities:

    ✑ Users with leaked credentials

    ✑ Sign-ins from anonymous IP addresses

    ✑ Impossible travel to atypical locations

    ✑ Sign-ins from infected devices

    ✑ Sign-ins from IP addresses with suspicious activity

    ✑ Sign-ins from unfamiliar locations

    These six types of events are categorized in to 3 levels of risks ג€" High, Medium & Low:

    References:

    http://www.rebeladmin.com/2018/09/step-step-guide-configure-risk-based-azure-conditional-access-policies/

Discussion
Geeky93

Wrong answer. Should be : YES, NO, NO "When organizations both include and exclude a user or group the user or group is excluded from the policy, as an exclude action overrides an include in policy. " Source : https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-users-groups

Patchfox

Correct answer

vtoroynah

"##Sign-ins from infected devices This risk event type identifies sign-ins from devices infected with malware, that are known to actively communicate with a bot server. This is determined by correlating IP addresses of the user’s device against IP addresses that were in contact with a bot server. This risk event identifies IP addresses, not user devices. If several devices are behind a single IP address, and only some are controlled by a bot network, sign-ins from other devices my trigger this event unnecessarily, which is the reason for classifying this risk event as “Low”." https://github.com/toddkitta/azure-content/blob/master/articles/active-directory/active-directory-identityprotection-risk-events-types.md

kitus

shouldn't it be YES, NO, YES? the third use case is Medium sign-in risk because the authentication comes from an infected device

rctm_bm

Agree with Geeky93, but not sure with 3rd answer. Given question with malware refers to infected device wich is Medium Risk Level, so the answer should be YES. YES,NO,YES

JCWF

Device containing malware refers to infected device which is Low Risk Level,

cannibalcorpse

Exactly,any event not related to credentials leakage, we may say as Low Risk Level.

rctm_bm

No. The only Low Risk Level is Sign-ins from IP addresses with suspicious activity. Everything else is medium\high

cfsxtuv33

Infected Devices: Medium Risk

rgullini

totally agree with rctm_bm

Vikku30

Yes it should : Yes, No & Yes as in option 3 the device is compromised/infected so access from infected device is medium level severity and as per question any sign in above medium risk level, password should be changed

udmraj

It should be Yes, No, Yes Number 3 is a Malware infected System, which is Infected system

ABIYGK

Explanation: Box 1: Yes - User1 is member of Group1. Sign in from unfamiliar location is risk level Medium. Box 2. No - "When organizations both include and exclude a user or group the user or group is excluded from the policy, as an exclude action overrides an include in policy. " Box 3: Yes - Sign-ins from infected device is Medium.

xRiot007

Sign-ins from infected device is LOW https://github.com/toddkitta/azure-content/blob/master/articles/active-directory/active-directory-identityprotection-risk-events-types.md

fireb

Based on changes on Azure over the years, the answer should be: Yes, Yes, Yes.

xRiot007

No. Anon IP login should require at most MFA, not a password change.

Jkayx94

Yes, No Yes. B - Exclusion takes precedence of Inclusion C - Device is Infected with Malware, regardless if it's communicating with a botnet, it's detected as Malware = Medium Risk = Included in CAP.

heatfan900

Y, N, N. USER 1 belongs to GROUP 1 and meet the Medium or Higher Conditions USER 2 belong to GROUP 1 and 2. Since Group 2 is excluded, the user will then be excluded even though he belongs to GROUP 1. When a user is in two different groups and one is excluded, they are excluded, even if the other group they belong to is included in the RISK POLICY. USER 3 is signing in from an infected device. This risk event identifies IP addresses, not user devices. If several devices are behind a single IP address, and only some are controlled by a bot network, sign-ins from other devices my trigger this event unnecessarily, which is the reason for classifying this risk event as “Low”.

P4ndem1c

A: Yes,No,Yes Last one is wrong as device is infected with malware thus classed as Medium

sommyo

Y-Y-Y Unfamiliar location - medium risk Anonymous IP - medium risk Infected device - medium risk

AzureAdventure

Agree User 2 is in the Group 1 as well, therefore medium risk automatically

bhattroh

Yes, No, Yes... Second one has MFA enabled and also in Group 2 which is excluded from protection policy

Andre369

1. If User1 signs in from an unfamiliar location, he must change his password. • Yes. User1 is a member of Group1, which is included in the policy's assignment. If User1 signs in from an unfamiliar location, it meets the condition of a Medium or above sign-in risk. According to the policy's access settings, User1 must change his password. 2. If User2 signs in from an anonymous IP address, she must change her password. • No. User2 is a member of Group1 and Group2, but Group2 is excluded from the policy's assignment. Therefore, the policy does not apply to User2. Even if User2 signs in from an anonymous IP address, it won't trigger the password change requirement. 3. If User3 signs in from a computer containing malware that is communicating with known bot servers, he must change his password. • No. Although User3 is a member of Group1 and meets the sign-in risk condition, the policy's access settings do not require a password change. The policy allows access without mandating a password change. Based on the evaluation, the correct answers are: 1. Yes 2. No 3. No

wardy1983

Explanation: Box 1: Yes - User1 is member of Group1. Sign in from unfamiliar location is risk level Medium. Box 2 no "When organizations both include and exclude a user or group the user or group is excluded from the policy, as an exclude action overrides an include in policy. " Box 3: No - Sign-ins from IP addresses with suspicious activity is low.

jimmyjose

The answer to Box 3 is 'YES' because it talks about a computer containing malware communicating with bots. There is a difference between malware (MEDIUM) and suspicious activity (LOW).

MeisAdriano

NO: unfamiliar location i think is similar to IP suspected, so low level not medium level risk. NO: "anonymous" IP address is the same of "unfamiliar location", similar to suspicious IP address, so the risk is low YES: because infected device is medium risk (not IP suspected that is low rish). The question says on medium and above sign-in risk you have to require password change.

GaryKing123

So having MFA enabled, disabled or even required doesn't impact the answer here I believe. In Entra under CA, now when you Grant access you can either have "require MFA" or "require authentication strength" or "require password change" among various options

JunetGoyal

Yes NoYes

ArchitectX

It should be Yes No No

ESAJRR

YES, NO, NO

massnonn

For me is Y-N-Y

massnonn

Error it's Y-N-N the user3 is gruop1 memeber but: ##Sign-ins from infected devices This risk event type identifies sign-ins from devices infected with malware, that are known to actively communicate with a bot server. This is determined by correlating IP addresses of the user’s device against IP addresses that were in contact with a bot server. This risk event identifies IP addresses, not user devices. If several devices are behind a single IP address, and only some are controlled by a bot network, sign-ins from other devices my trigger this event unnecessarily, which is the reason for classifying this risk event as “Low”.