ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-500 All Questions

View all questions & answers for the AZ-500 exam
Go to Exam

Exam AZ-500 topic 2 question 7 discussion

Actual exam question from Microsoft's AZ-500
Question #: 7
Topic #: 2
[All AZ-500 Questions]

HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table.

You create and enforce an Azure AD Identity Protection user risk policy that has the following settings:
✑ Assignment: Include Group1, Exclude Group2
✑ Conditions: Sign-in risk of Medium and above
✑ Access: Allow access, Require password change
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: Yes -
User1 is member of Group1. Sign in from unfamiliar location is risk level Medium.

Box 2: Yes -
User2 is member of Group1. Sign in from anonymous IP address is risk level Medium.

Box 3: No -
Sign-ins from IP addresses with suspicious activity is low.
Note:

Azure AD Identity protection can detect six types of suspicious sign-in activities:
✑ Users with leaked credentials
✑ Sign-ins from anonymous IP addresses
✑ Impossible travel to atypical locations
✑ Sign-ins from infected devices
✑ Sign-ins from IP addresses with suspicious activity
✑ Sign-ins from unfamiliar locations
These six types of events are categorized in to 3 levels of risks ג€" High, Medium & Low:
References:
http://www.rebeladmin.com/2018/09/step-step-guide-configure-risk-based-azure-conditional-access-policies/
by Geeky93 at March 13, 2021, 2:56 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Geeky93
Highly Voted 4 years ago
Wrong answer. Should be : YES, NO, NO "When organizations both include and exclude a user or group the user or group is excluded from the policy, as an exclude action overrides an include in policy. " Source : https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-users-groups
upvoted 161 times
kitus
9 months ago
shouldn't it be YES, NO, YES? the third use case is Medium sign-in risk because the authentication comes from an infected device
upvoted 4 times
ITFranz
2 months, 2 weeks ago
To support the third answer. Yes, if a user signs in from a computer containing malware that is communicating with bot servers, the user should change their password. This is an important security measure for several reasons: Malware on the computer may include keyloggers or other tools that can capture passwords as they are entered1. The malware communicating with bot servers indicates an active security breach, which could potentially expose sensitive information including login credentials2. Changing passwords is a crucial step in securing accounts after a potential compromise3. User3 = Yes
upvoted 1 times
...
...
Patchfox
3 years, 2 months ago
Correct answer
upvoted 2 times
vtoroynah
3 years, 1 month ago
"##Sign-ins from infected devices This risk event type identifies sign-ins from devices infected with malware, that are known to actively communicate with a bot server. This is determined by correlating IP addresses of the user’s device against IP addresses that were in contact with a bot server. This risk event identifies IP addresses, not user devices. If several devices are behind a single IP address, and only some are controlled by a bot network, sign-ins from other devices my trigger this event unnecessarily, which is the reason for classifying this risk event as “Low”." https://github.com/toddkitta/azure-content/blob/master/articles/active-directory/active-directory-identityprotection-risk-events-types.md
upvoted 4 times
...
...
...
rctm_bm
Highly Voted 3 years, 12 months ago
Agree with Geeky93, but not sure with 3rd answer. Given question with malware refers to infected device wich is Medium Risk Level, so the answer should be YES. YES,NO,YES
upvoted 133 times
Vikku30
3 years, 2 months ago
Yes it should : Yes, No & Yes as in option 3 the device is compromised/infected so access from infected device is medium level severity and as per question any sign in above medium risk level, password should be changed
upvoted 4 times
...
rgullini
3 years, 11 months ago
totally agree with rctm_bm
upvoted 5 times
...
udmraj
3 years ago
It should be Yes, No, Yes Number 3 is a Malware infected System, which is Infected system
upvoted 13 times
...
JCWF
3 years, 11 months ago
Device containing malware refers to infected device which is Low Risk Level,
upvoted 9 times
cannibalcorpse
3 years, 11 months ago
Exactly,any event not related to credentials leakage, we may say as Low Risk Level.
upvoted 3 times
...
cfsxtuv33
3 years, 2 months ago
Infected Devices: Medium Risk
upvoted 3 times
...
rctm_bm
3 years, 8 months ago
No. The only Low Risk Level is Sign-ins from IP addresses with suspicious activity. Everything else is medium\high
upvoted 15 times
...
...
Load full discussion...
...
SofiaLorean
Most Recent 4 days, 3 hours ago
Yes No Yes
upvoted 1 times
...
MarcoHurry
4 months, 1 week ago
Me too: YES, NO, YES for the same reasons discussed here
upvoted 1 times
...
pentium75
7 months, 2 weeks ago
YES, NO, YES. User 2 is excluded Other risks are medium or higher
upvoted 1 times
...
ShambhuSNair
7 months, 3 weeks ago
Answer: Yes No Yes 1. Risk rating for User1 is medium and User1 is part of Group1 where Risk policy applies, So User1 will be allowed to sign-in after changing the password. 2. Risk rating for User 2 is medium, but the risk policy is not applied as User2 is part of Group2 which is excluded from the assignment. Hence User2 wont be allowed to sign-in, and won't be prompted to change the password. 3. Risk rating for User3 is medium and User3 is part of Group1 where Risk policy applies, So User3 will be allowed to sign-in after changing the password.
upvoted 2 times
...
Jkayx94
1 year ago
Yes, No Yes. B - Exclusion takes precedence of Inclusion C - Device is Infected with Malware, regardless if it's communicating with a botnet, it's detected as Malware = Medium Risk = Included in CAP.
upvoted 3 times
...
ABIYGK
1 year, 3 months ago
Explanation: Box 1: Yes - User1 is member of Group1. Sign in from unfamiliar location is risk level Medium. Box 2. No - "When organizations both include and exclude a user or group the user or group is excluded from the policy, as an exclude action overrides an include in policy. " Box 3: Yes - Sign-ins from infected device is Medium.
upvoted 6 times
xRiot007
8 months ago
Sign-ins from infected device is LOW https://github.com/toddkitta/azure-content/blob/master/articles/active-directory/active-directory-identityprotection-risk-events-types.md
upvoted 1 times
...
...
wardy1983
1 year, 4 months ago
Explanation: Box 1: Yes - User1 is member of Group1. Sign in from unfamiliar location is risk level Medium. Box 2 no "When organizations both include and exclude a user or group the user or group is excluded from the policy, as an exclude action overrides an include in policy. " Box 3: No - Sign-ins from IP addresses with suspicious activity is low.
upvoted 1 times
jimmyjose
1 year, 3 months ago
The answer to Box 3 is 'YES' because it talks about a computer containing malware communicating with bots. There is a difference between malware (MEDIUM) and suspicious activity (LOW).
upvoted 1 times
...
...
MeisAdriano
1 year, 5 months ago
NO: unfamiliar location i think is similar to IP suspected, so low level not medium level risk. NO: "anonymous" IP address is the same of "unfamiliar location", similar to suspicious IP address, so the risk is low YES: because infected device is medium risk (not IP suspected that is low rish). The question says on medium and above sign-in risk you have to require password change.
upvoted 1 times
...
GaryKing123
1 year, 5 months ago
So having MFA enabled, disabled or even required doesn't impact the answer here I believe. In Entra under CA, now when you Grant access you can either have "require MFA" or "require authentication strength" or "require password change" among various options
upvoted 1 times
...
JunetGoyal
1 year, 5 months ago
Yes NoYes
upvoted 1 times
...
fireb
1 year, 5 months ago
Based on changes on Azure over the years, the answer should be: Yes, Yes, Yes.
upvoted 4 times
xRiot007
8 months ago
No. Anon IP login should require at most MFA, not a password change.
upvoted 1 times
...
...
ArchitectX
1 year, 6 months ago
It should be Yes No No
upvoted 1 times
...
heatfan900
1 year, 6 months ago
Y, N, N. USER 1 belongs to GROUP 1 and meet the Medium or Higher Conditions USER 2 belong to GROUP 1 and 2. Since Group 2 is excluded, the user will then be excluded even though he belongs to GROUP 1. When a user is in two different groups and one is excluded, they are excluded, even if the other group they belong to is included in the RISK POLICY. USER 3 is signing in from an infected device. This risk event identifies IP addresses, not user devices. If several devices are behind a single IP address, and only some are controlled by a bot network, sign-ins from other devices my trigger this event unnecessarily, which is the reason for classifying this risk event as “Low”.
upvoted 3 times
...
P4ndem1c
1 year, 7 months ago
A: Yes,No,Yes Last one is wrong as device is infected with malware thus classed as Medium
upvoted 3 times
...
sommyo
1 year, 7 months ago
Y-Y-Y Unfamiliar location - medium risk Anonymous IP - medium risk Infected device - medium risk
upvoted 3 times
AzureAdventure
1 year, 7 months ago
Agree User 2 is in the Group 1 as well, therefore medium risk automatically
upvoted 1 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago