Exam MS-100 topic 1 question 33 discussion

The how-to is in the provided reference: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies#sign-in-risk-with-conditional-access .... 6. Under Cloud apps or actions > Include, select All cloud apps. 7. Under Conditions > Sign-in risk, set Configure to Yes. Under Select the sign-in risk level this policy will apply to a. Select High and Medium. b. Select Done. 8. Under Access controls > Grant, select Grant access, Require multi-factor authentication, and select Select. ...

actually this is implemented in conditional access policies. I don think it has something to do with sign in risk policies regarding cloud apps

Conditional access with session option is only working with "supported apps". So, at the moment your only option is D. To make sure it applies to all users in the group you select all options High to noRisk. https://learn.microsoft.com/nl-nl/azure/active-directory/conditional-access/concept-conditional-access-session#application-enforced-restrictions

C. You should create a session policy. By creating a session policy, you can define and enforce specific settings for user sessions. In this case, you can configure the session policy to require multi-factor authentication for all cloud-based applications accessed by sales department users. This policy will ensure that users are prompted for an additional authentication factor when accessing these applications, enhancing security. Creating a DLP (Data Loss Prevention) policy is not directly related to enforcing multi-factor authentication. Creating a new app registration or a sign-in risk policy does not directly address the requirement of compelling sales department users to use multi-factor authentication for all cloud-based applications. Therefore, the most appropriate action to achieve the specified goal is to create a session policy.

D. You should create a sign-in risk policy To make sure that sales department users are compelled to make use of multi-factor authentication for all cloud-based applications, you should create a sign-in risk policy. A sign-in risk policy can be used to require multi-factor authentication for users based on certain conditions or risk level, such as location, device, IP address, and more. This can be done using Azure Active Directory Conditional Access in the Azure portal and you can use the cloud based subscription to apply this policy.

Id vote D: Force sales uses to do MFA. Risk-policy doesnt do that cause risk is determined automatically and if there is no risk there is no MFA. I would use Conditional Access to achieve that but first you need to register those cloud apps in AzureAD to use as a condition for the policy. So apply to Sales users and apply to the registered app and always force MFA. Makes sense to me..

Id vote B: We need to force sales uses to do MFA for cloud apps. Risk-policy doesnt do that cause risk is determined automatically and if there is no risk there is no MFA. I would use Conditional Access to achieve it but first you need to register those cloud apps in AzureAD to use as a condition for the policy. So apply to Sales users and apply to the registered app and always force MFA. Makes sense to me..

Answer is D It would be conditional access policy if that was an option for sure. But as its not. You create a Sign in risk policy which which forces MFA on the user when there is no risk. Obviously this is silly as you normally use a risk policy with a risk level of medium or high and block the connection for example. But this fits best

Risk-based policies If your organization uses Azure AD Identity Protection to detect risk signals, consider using risk-based policies instead of named locations. Policies can be created to force password changes when there is a threat of compromised identity or require MFA when a sign-in is deemed at risk such as leaked credentials, sign-ins from anonymous IP addresses, and more. Risk policies include: Require all users to register for Azure AD Multi-Factor Authentication Require a password change for users that are high-risk Require MFA for users with medium or high sign in risk https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted

https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-sign-in-risk-policy here it is boys D is the answer

There is no way we can force all sales personel to be risky users... I have no idea why people are upvoting suggestions to create a risk policy that requires MFA for all users with medium or high risk level... I think we can assume that the people we have hired in out sales department are not doing impossible travel, logging in from unknown Ip's or other stuff that would make them risky... The correct answer should be conditional access policy...

if you follow this link: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted you will find: Risk-based policies If your organization uses Azure AD Identity Protection to detect risk signals, consider using risk-based policies instead of named locations. Policies can be created to force password changes when there is a threat of compromised identity or require multifactor authentication when a sign-in is deemed risky by events such as leaked credentials, sign-ins from anonymous IP addresses, and more. Risk policies include: - Require all users to register for Azure AD MFA - Require a password change for users that are high-risk - Require MFA for users with medium or high sign-in risk => D is correct

I would say the answer is correct: “ The sign-in risk policy detects suspicious actions that come along with the sign-in. It is focused on the sign-in activity itself and analyzes the probability that the sign-in may not have been performed by the user. The sign-in risk checks for things like whether a user has signed in from an unfamiliar location or unfamiliar IP address. You can then choose to require MFA for users based on the risk level of their sign-ins.”

i think the right answer is to create a session policy https://docs.microsoft.com/en-us/cloud-app-security/session-policy-aad

I am not sure that this is correct answer

It is not possible to CREATE a sign-in risk policy. Only configure and activate is possible.