Exam AZ-500 topic 2 question 71 discussion

User1 - is excluded but user1 MFA is Enabled Exclusion will take precedence. Ans: MFA will be prompted User2 - is include and user meet the above threshold for sign-in risk level: low and above therefor user account will be blocked. Note: If you target this policy to a user that hasn't registered for MFA. Their access will be blocked Ans: Be blocked

I think in both the cases the user will be prompted for MFA

User1: "Sign in by using a username and password only.” User2: “Be blocked”

User 1 has to use(setup) an MFA, regardless to his group membership, since MFA is enabled. If MFA was disabled, user wouldn't be blocked because of the exclusion.

User1 = Excluded Yes but the MFA is enabled and enable mean it will prompt him but he still can skip it setup to use his user name as its not enforced. The question is asking about the prompting MFA then we need to answer that part ( enforced will prompt and he must use it ). User 2 = Need to use MFA but its not enabled so he will be blocked.

User1 - will be prompted to set up MFA, but can log in without MFA (he is excluded from the policy) User2 - will be blocked (he has not enrolled in MFA and can't do that during a risky signin)

We are talking about "Identity Protection" and not "Conditional Access". Answer for me is: "Sing in by using.....", because MFA is activated, it does not show you the MFA PROMP, it gives you the option to configure it or do it later, if you say do it later you go straight in. Regarding the second, it will force you to configure MFA although it does not change the user's status.

On exam 1/2/24

I have tested this in the Lab When User has MFA enabled it will prompt for MFA When User has MFA disabled it will still prompt for MFA if the user is required to do MFA.

enabled does not mean enforced so i think box 1 user name and pass box 2 : blocked

User1 - is excluded but user1 MFA is Enabled Exclusion will take precedence. Ans: MFA will be prompted User2 - is include and user meet the above threshold for sign-in risk level: low and above therefor user account will be blocked. Note: If you target this policy to a user that hasn't registered for MFA. Their access will be blocked Ans: Be blocked Reference: http://www.rebeladmin.com/2018/09/step-step-guide-configure-risk-based-azure-conditional-accesspolicies/ https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identityprotection- policies https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/conceptidentity- protection-risks

If you create a mandatory MFA policy and explicitly exclude USER1 from that policy, but USER1 already has MFA enabled on their account, they will not be affected by the policy. This is because the explicit deletion of the MFA policy should override the policy, allowing USER1 to continue using their multi-factor authentication as usual. The opt-out policy is more specific and will take priority over the MFA mandatory policy. Therefore, USER1 will be able to authenticate without any problems using MFA.

In Exam - 28/7/2023

user 1 is excluded in this policy since exclude takes precedence. therefore user one will be blocked.

User1, Sign in by using a username and paswword only Not affected cuz is excluded and : If a user has MFA configured as enabled but not forced, they are not obligated to configure and use MFA. In this case, the user can choose to sign in using only their username and password without using MFA. Having MFA enabled but not forced means that users are recommended or encouraged to use MFA to add an additional layer of security to their account, but they are not required to do so. Users have the option to configure and use MFA if they wish, but it is not imposed as a mandatory requirement. User2, be blocked cuz is affected and dont have mfa

1. Be prompted for MFA 2. Be blocked https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies#risk-remediation Users must register for Azure AD MFA before they face a situation requiring remediation. Users not registered are blocked and require administrator intervention.

Both will be promoted for MFA. If MFA is disabled for a user and an access policy force it for login user with MFA disabled status won't be blocked, they will be prompted to set the MFA upon login.