AZ-500 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-500 Exam - Question 74

HOTSPOT -

You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.

You create and enforce an Azure AD Identity Protection sign-in risk policy that has the following settings:

✑ Assignments: Include Group1, exclude Group2

✑ Conditions: Sign-in risk level: Medium and above

✑ Access: Allow access, Require multi-factor authentication

You need to identify what occurs when the users sign in to Azure AD.

What should you identify for each user? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Show Answer
Correct Answer:

References:

http://www.rebeladmin.com/2018/09/step-step-guide-configure-risk-based-azure-conditional-access-policies/ https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks

Discussion

17 comments
Sign in to comment
Bjarki2330
Jul 20, 2021

Answers are correct: 1) MFA is enabled and whenever on next log-in he will have to sign up anyway, regardless of the policy, therefore prompted. 2) Blocked - "Users must register for Azure AD MFA and SSPR before they face a situation requiring remediation. Users not registered are blocked and require administrator intervention." 3) Blocked - See text in 2) https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies

Mcgood
Aug 1, 2021

Thanks a lot for the details, well explained

kakakayayaya
Aug 22, 2021

Thanks for grate explanation!

BillBaits
Dec 2, 2021

According to the official Skillpipe book, "sign-ins from infected devices" are considered as "low".

BP_lobster
Mar 22, 2022

you are correct imho/number 3 would now be Username & password

BP_lobster
Mar 23, 2022

Source: https://github.com/toddkitta/azure-content/blob/master/articles/active-directory/active-directory-identityprotection-risk-events-types.md (official github repo, states "sign-ins from infected devices" are considered classified as "low")

azure_2563
Oct 3, 2023

User3 will be blocked: Reason- sign-ins from infected devices is considered as "Medium" so policy will be applied. Since user3 is MFA enabled it will be blocked.

azure_2563
Oct 3, 2023

sorry MFA is disabled so admin action is required.

xRiot007
Jul 16, 2024

Sign in from infected devices is "Low". If things go south and user credentials are leaked that is "High".

canonigo
Mar 23, 2021

1- Prompt for MFA -> User is excluded, but MFA is Enabled, user is always prompted for MFA. 2.- Prompt for MFA -> Risk is medium and policy applies 3.- Single Authentication -> Policy doesn't apply, risk low

OhBee
Mar 27, 2021

I respectfully disagree with number 2, although I stand to be corrected. 2.- Be blocked --> Risk is medium and policy applies, HOWEVER MFA is disabled for User 2 and this he/she is blocked.

macco455
Mar 28, 2021

Yes MFA is disabled for User 2 on his account, BUT since he matches the policy he will need to use MFA to log in now as the policy supercedes his AAD settings. Therefore User 2 will be Prompted for MFA

3abmula
Jun 5, 2021

Even if MFA is disabled, since conditional access policy applied, user will be prompted for MFA enrollment, and to login using MFA. And by the way, even after the user activates MFA, status will remain disabled for that user, because it will be only used when a conditional access policy is met.

gigiscula
Sep 15, 2021

This is not Conditional Access. It is Identity Protection, and as stated by docs if the user isn't enrolled in MFA, it will be blocked.

Stews
Apr 13, 2022

Not true, this is the legacy method of assigning mfa to users. Security baselines means that all tenants have mfa enforced by default anyways. It should be managed via CA and being disabled here means nothing. I think this question is ancient, but I still wanted to add this.

eroms
May 20, 2021

User 3 --> Prompted for MFA

cjace
May 27, 2021

MFA MFA MFA

Denn81
May 28, 2021

Sign-ins from infected devices - Medium thus MFA

Payday123
Feb 16, 2022

That would correct for Conditional Access but question is about Identity Protection. According to Microsoft: "Users must register for Azure AD MFA and SSPR before they face a situation requiring remediation. Users not registered are BLOCKED and require administrator intervention."

somenick
Sep 30, 2022

Latest update: Microsoft doesn't provide specific details about how risk is calculated. Each level of risk brings higher confidence that the user or sign-in is compromised. So this question is obsolete

Fal991l
Nov 3, 2022

It's still good practice though

heatfan900
Aug 24, 2023

USER 1 WILL ALWAYS BE PROMPTED REGARDLESS OF POLICY ASSIGNMENT BECAUSE MFA IS ENFORCED AGAINST THEIR ACCT. USER 2 WILL BE BLOCKED BECAUSE THEY ARE SOLELY IN GROUP 1 AND THE MEET THE CONDITIONS OF THE POLICY ASSIGNED WITH MFA DISABLED WHICH GOES AGAINST THE POLICY REQUIREMENTS. USER 3 WILL BE ALLOWED TO LOGIN WITH USERNAME AND PASSWORD ONLY BECAUSE, ALTHOUGH THEY ARE IN GROUP 1 THEY DO NOT MEET THE CONDITIONS AND DO NOT HAVE MFA ENFORCED DIRECTLY AGAINST THEIR ACCT. SIGNING IN FROM AN INFECTED DEVICE IS CONSIDERED LOW RISK..

majstor86
Mar 2, 2023

MFA Blocked Username and password

Patchfox
Dec 24, 2021

As gigiscual said: Users must register for Azure AD MFA and SSPR BEFORE they face a situation requiring remediation. Users not registered are blocked and require administrator intervention. https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies So, User2 will be blocked. But I do not agree with answer three because Microsoft classify sign-ins from infected devices with low risk.

[Removed]
Jan 12, 2022

MFA Blocked Single Authentication

stack120566
Jan 19, 2022

1. Sign in Username and Pw only .. user1 is member of group 2 ( excluded from risk policy ) 2. Blocked .. MFA required but User 2 MFA status is disabled 3. Sign In with UserName and Pw only... Low risk so policy does not apply

Payday123
Feb 16, 2022

1. User1 is MFA in user's properties

ltjones12
Jan 5, 2023

The first 2 are correct, the third is "sign in with username and pw only". It's low risk, and MFA is disabled for the user

certmonk
May 21, 2022

All 3 should be prompted for MFA. Because all of them are in Group1 and the Access level is set to Allow access Require MFA. For 2 and 3 the user should still be prompted for MFA but since they have MFA disabled so they will not be able to proceed with MFA.

fro_prince
Aug 10, 2022

2 and 3 - blocked https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies

TweetleD
Nov 7, 2022

sign ins from an infected device is classified as a low risk so user3 will be able to sign in by using a username and password only

snake_alejo
Dec 30, 2021

my answers based on that: user1 will ask MFA for being a medium threat. user2 will ask for MFA for being a medium type threat (unfamiliar location.) User 3 does not apply the policy since the risk, according to Microsoft, is low. in no case user 1 and 2 are blocked.

CJ32
Jan 28, 2022

1.) Username and Password only. User is a part of Group 2. Exclusion takes precedence. 2.) Blocked. User MUST sign up for MFA beforehand or they will be blocked. (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies) 3.) Blocked. Same reasoning as above.

DaveBinDC
Apr 29, 2022

Answers are correct. The key here is that user MUST complete MFA registration for the identity protection sign-in risk policy to take effect. Since USER1 is the only one that is MFA enabled (registered), he is the only one that will be forced to use MFA to sign in. The other two will be blocked. https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies

Ivanvazovv
Aug 10, 2022

All "Sign in from unfamiliar location", "Sign in from infected device" and "Sign in from anonymous IP address" are medium risk thus all satisfy the condition to require MFA. User1 will be prompted from MFA regardless. So all three sign ins require MFA.

gumibobo
Mar 2, 2024

right answers