Examice

Exam AZ-500 All QuestionsBrowse all questions from this exam

Go to Exam

Question 74

HOTSPOT -

You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.

You create and enforce an Azure AD Identity Protection sign-in risk policy that has the following settings:

✑ Assignments: Include Group1, exclude Group2

✑ Conditions: Sign-in risk level: Medium and above

✑ Access: Allow access, Require multi-factor authentication

You need to identify what occurs when the users sign in to Azure AD.

What should you identify for each user? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

References:

http://www.rebeladmin.com/2018/09/step-step-guide-configure-risk-based-azure-conditional-access-policies/ https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks

Discussion

Bjarki2330

Answers are correct: 1) MFA is enabled and whenever on next log-in he will have to sign up anyway, regardless of the policy, therefore prompted. 2) Blocked - "Users must register for Azure AD MFA and SSPR before they face a situation requiring remediation. Users not registered are blocked and require administrator intervention." 3) Blocked - See text in 2) https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies

Mcgood

Thanks a lot for the details, well explained

kakakayayaya

Thanks for grate explanation!

BillBaits

According to the official Skillpipe book, "sign-ins from infected devices" are considered as "low".

BP_lobster

you are correct imho/number 3 would now be Username & password

BP_lobster

Source: https://github.com/toddkitta/azure-content/blob/master/articles/active-directory/active-directory-identityprotection-risk-events-types.md (official github repo, states "sign-ins from infected devices" are considered classified as "low")

azure_2563

User3 will be blocked: Reason- sign-ins from infected devices is considered as "Medium" so policy will be applied. Since user3 is MFA enabled it will be blocked.

azure_2563

sorry MFA is disabled so admin action is required.

xRiot007

canonigo

1- Prompt for MFA -> User is excluded, but MFA is Enabled, user is always prompted for MFA. 2.- Prompt for MFA -> Risk is medium and policy applies 3.- Single Authentication -> Policy doesn't apply, risk low

OhBee

I respectfully disagree with number 2, although I stand to be corrected. 2.- Be blocked --> Risk is medium and policy applies, HOWEVER MFA is disabled for User 2 and this he/she is blocked.

macco455

Yes MFA is disabled for User 2 on his account, BUT since he matches the policy he will need to use MFA to log in now as the policy supercedes his AAD settings. Therefore User 2 will be Prompted for MFA

3abmula

Even if MFA is disabled, since conditional access policy applied, user will be prompted for MFA enrollment, and to login using MFA. And by the way, even after the user activates MFA, status will remain disabled for that user, because it will be only used when a conditional access policy is met.

gigiscula

This is not Conditional Access. It is Identity Protection, and as stated by docs if the user isn't enrolled in MFA, it will be blocked.

Stews

Not true, this is the legacy method of assigning mfa to users. Security baselines means that all tenants have mfa enforced by default anyways. It should be managed via CA and being disabled here means nothing. I think this question is ancient, but I still wanted to add this.

eroms

User 3 --> Prompted for MFA

cjace

MFA MFA MFA

Denn81

Sign-ins from infected devices - Medium thus MFA

Payday123

That would correct for Conditional Access but question is about Identity Protection. According to Microsoft: "Users must register for Azure AD MFA and SSPR before they face a situation requiring remediation. Users not registered are BLOCKED and require administrator intervention."

somenick

Latest update: Microsoft doesn't provide specific details about how risk is calculated. Each level of risk brings higher confidence that the user or sign-in is compromised. So this question is obsolete

Fal991l

It's still good practice though

heatfan900

USER 1 WILL ALWAYS BE PROMPTED REGARDLESS OF POLICY ASSIGNMENT BECAUSE MFA IS ENFORCED AGAINST THEIR ACCT. USER 2 WILL BE BLOCKED BECAUSE THEY ARE SOLELY IN GROUP 1 AND THE MEET THE CONDITIONS OF THE POLICY ASSIGNED WITH MFA DISABLED WHICH GOES AGAINST THE POLICY REQUIREMENTS. USER 3 WILL BE ALLOWED TO LOGIN WITH USERNAME AND PASSWORD ONLY BECAUSE, ALTHOUGH THEY ARE IN GROUP 1 THEY DO NOT MEET THE CONDITIONS AND DO NOT HAVE MFA ENFORCED DIRECTLY AGAINST THEIR ACCT. SIGNING IN FROM AN INFECTED DEVICE IS CONSIDERED LOW RISK..

majstor86

MFA Blocked Username and password

ltjones12

The first 2 are correct, the third is "sign in with username and pw only". It's low risk, and MFA is disabled for the user

stack120566

1. Sign in Username and Pw only .. user1 is member of group 2 ( excluded from risk policy ) 2. Blocked .. MFA required but User 2 MFA status is disabled 3. Sign In with UserName and Pw only... Low risk so policy does not apply

Payday123

1. User1 is MFA in user's properties

[Removed]

MFA Blocked Single Authentication

Patchfox

As gigiscual said: Users must register for Azure AD MFA and SSPR BEFORE they face a situation requiring remediation. Users not registered are blocked and require administrator intervention. https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies So, User2 will be blocked. But I do not agree with answer three because Microsoft classify sign-ins from infected devices with low risk.

TweetleD

sign ins from an infected device is classified as a low risk so user3 will be able to sign in by using a username and password only

fro_prince

2 and 3 - blocked https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies

certmonk

All 3 should be prompted for MFA. Because all of them are in Group1 and the Access level is set to Allow access Require MFA. For 2 and 3 the user should still be prompted for MFA but since they have MFA disabled so they will not be able to proceed with MFA.

gumibobo

right answers

Ivanvazovv

All "Sign in from unfamiliar location", "Sign in from infected device" and "Sign in from anonymous IP address" are medium risk thus all satisfy the condition to require MFA. User1 will be prompted from MFA regardless. So all three sign ins require MFA.

DaveBinDC

Answers are correct. The key here is that user MUST complete MFA registration for the identity protection sign-in risk policy to take effect. Since USER1 is the only one that is MFA enabled (registered), he is the only one that will be forced to use MFA to sign in. The other two will be blocked. https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies

CJ32

1.) Username and Password only. User is a part of Group 2. Exclusion takes precedence. 2.) Blocked. User MUST sign up for MFA beforehand or they will be blocked. (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies) 3.) Blocked. Same reasoning as above.

snake_alejo

my answers based on that: user1 will ask MFA for being a medium threat. user2 will ask for MFA for being a medium type threat (unfamiliar location.) User 3 does not apply the policy since the risk, according to Microsoft, is low. in no case user 1 and 2 are blocked.