Exam MS-102 topic 1 question 84 discussion

A & B - Are excluding users from MFA, which is not a secure method of managing users and the risk to their accounts. C - Named locations requires IP ranges, how do you know each Wi-Fi/network range the reps will visit? Wouldn't trust ChatGPT as far as I could throw it. D - You can allow users to self-remediate their sign-in risks and user risks by setting up risk-based policies. If users pass the required access control, such as Azure AD Multifactor Authentication or secure password change, then their risks are automatically remediated. https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-remediate-unblock#self-remediation-with-risk-based-policy

The correct answer is C. named locations. Explanation: Named locations in Conditional Access policies allow you to define trusted IP ranges or geographical locations. If users from the media department are traveling to different countries, you can configure a Conditional Access policy that recognizes the user's location as trusted or safe, allowing them to bypass the block if their sign-ins are flagged as high-risk due to their travel. By adding trusted named locations, you ensure that users in the media department, when traveling, won't be blocked due to the high-risk sign-in policy. Additionally, this will allow users to remediate the issue themselves by ensuring they are recognized as coming from trusted regions, avoiding unnecessary administrative intervention.

By configuring named locations, you can define trusted IP ranges or countries. This way, you can adjust the Conditional Access policies to allow sign-ins from these locations, reducing the likelihood of users being blocked while traveling. This approach helps maintain security while providing flexibility for users on the move.

answer is D., Since the goal is to allow users to remediate the issue without administrator intervention, enabling Self-Service Password Reset (SSPR) is the most suitable choice. This allows users to recover access when their sign-ins are blocked, for instance, when traveling to new locations.

Answer is B. Sign-in risk events can self-remediated by MFA. The impossible travels will trigger a sign-in risk alert, not a user-risk one.

Self-remediation with self-service password reset If a user has registered for self-service password reset (SSPR), then they can remediate their own user risk by performing a self-service password reset. https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-remediate-unblock#self-remediation-with-risk-based-policy

La réponse C est l'idéal et rendu possible avec la sélection du pays/régions. L'utilisateur devra tout simplement partager ses coordonnées GPS à partir de l'application ms authentificateur , ceci est plus efficace et adéquat que de demander à un utilisateur de changer son mot de passe à chaque connexion

Excluding the users from the CA, and making separate CA policy for their department would be the easiest way. Although impossible travel alert works taking time and time zones into consideration and wouldn't trigger as often as You think in practice. SSPR is the next most viable option here.

D is correct

Question must be wrong - since it is a sign-in risk they should be able to verify their identity with MFA not getting help changing password.

For some reason everyone is thrown off by this question. You actually have two separate groups of users to consider here. One(France) has MFA registered and can be prompted for MFA anytime they need to remediate. The other is simply a marketing group. Imagine all these traveling users having to reset their password to remediate after every high risk sign-in. That is certainly not the result we want. They really need MFA and modifying the MFA policy can have them all register.

If a user has registered for self-service password reset (SSPR), then they can remediate their own user risk by performing a self-service password reset. https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-remediate-unblock

B guys. Try to create a risky sign-in policy. You can allow but the only option available is "Require MFA". SSPR is used for risky users policy, not sign-in

For me, the correct answer will be B. the admins need to update the MFA registration policy to include the countries where the rep will travel. This will allow the user if he is detected as Sign-in risk to auto-remediate the issue. the SSPR will apply for User-risk which in this case is not the requested. Auto-remediation for Sign-in risk is MFA Auto-remediation for User risk is SSPR. named locations: I can list the countries to allow the connection of the representant, but, the user will be excluded for MFA which is not good. Exclude group doesn't apply, I won't remove MFA for the user authentication, more when he is traveling and I need to open the registration from others countries.

D. self-service password reset (SSPR) SSPR allows users to reset their passwords on their own without needing administrative intervention. In conjunction with Azure AD Identity Protection, when users have a risky sign-in, they can be prompted to perform a password reset as a remediation action. This combination ensures that even if a sign-in is considered high-risk, the user can validate their identity and reset their password to regain access.

This would be classified as a sign-in risk rather than a user-risk. Therefore, MFA self-remediates the risk. The question states that folks in France are registered for MFA, not the media department. The MFA registration policy needs checked, because MFA is what self-remediates the sign-in risk: https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies#sign-in-risk-based-conditional-access-policy Therefore, the correct answer is actually B. Stop trusting ChatGPT and other non-primary sources.

The Answer Is C