exam questions

Exam SC-300 All Questions

View all questions & answers for the SC-300 exam

Exam SC-300 topic 2 question 27 discussion

Actual exam question from Microsoft's SC-300
Question #: 27
Topic #: 2
[All SC-300 Questions]

HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant: that contains the users shown in the following table.

In Azure. AD Identity Protection, you configure a user risk policy that has the following settings:
✑ Assignments:
- Users: Group1
- User risk: Low and above
✑ Controls:
- Access: Block access
✑ Enforce policy: On
In Azure AD Identify Protection, you configure a sign-in risk policy that has the following settings:
✑ Assignments:
- Users: Group2
- Sign-in risk: Low and above
✑ Controls:
- Access: Require multi-factor authentication
✑ Enforce policy: On
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: Yes -
Note: Azure AD Identity Protection can review user sign-in attempts and take additional action if there's suspicious behavior:
Some of the following actions may trigger Azure AD Identity Protection risk detection:
Users with leaked credentials.
* -> Sign-ins from anonymous IP addresses.
Impossible travel to atypical locations.
Sign-ins from infected devices.
Sign-ins from IP addresses with suspicious activity.
Sign-ins from unfamiliar locations.

Box 2: No -

Box 3: No -
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
existingname
Highly Voted 2 years, 6 months ago
Anonymous IP triggers sign-in risk policy (not user risk policy) So user1 gets only user risk policy —> not affected, can login YES User2 affected by the sign-in risk policy, and has no MFA so cannot login NO User 3 gets both policies, but only policy 2 is used for the anonymous IP, and he has MFA, so can login YES Ref: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks
upvoted 63 times
existingname
2 years, 6 months ago
On the exam today, I answered Yes No Yes
upvoted 11 times
...
kanew
1 year, 10 months ago
Perfectly explained - I agree it's Y,N,Y
upvoted 6 times
...
mcas
2 years, 3 months ago
I think User 2 should be YES. MFA disabled doesn't mean the user cannot use it, the user will be prompted to set up MFA first and after that he can use it. Tested it in lab
upvoted 1 times
purek77
2 years, 2 months ago
Unfortunately MS thinks that first you use MFA Registration policy to make sure that all users do have MFA enabled+configured. Why ? Because 'If a sign-in risk policy prompts for MFA, the user must already be registered for Azure AD Multi-Factor Authentication.' So 2nd option is No.
upvoted 4 times
LeTrinh
2 years ago
You're right, Purek77 https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa
upvoted 1 times
...
Holii
1 year, 9 months ago
You'd have a field day on the AZ-500 examtopics dump. There are a TON of these questions, and every single one tosses out "MFA is enabled but not enforced, but the user can still technically login"
upvoted 1 times
...
...
...
ItchyBrain81
2 years, 6 months ago
User3 is the tricky one. The question ask "Can user sign-in from anonymous IP Address?". The answer is "No". User can sign-in after MFA is confirmed.
upvoted 3 times
...
...
0byte
Highly Voted 2 years, 4 months ago
Sign-in from an anonymous IP address falls into Sign-in risk. This means only members of Group 2 will be affected by Identity Protection. User1 can log in from any IP as user’s IP is not scrutinized. The user is not in scope of Sign-In policy. User2 cannot login. This user is in scope of the Sign-In policy and will be challenged to perform MFA. Since MFA is disabled, MFA challenge will be unsuccessful – login fails. User3 can log in. This is user is also in scope of the Sign-In policy, but since user’s MFA is working (hence assuming a successful MFA challenge) the user will be granted access. I’d say: Y-N-Y
upvoted 8 times
...
d1e85d9
Most Recent 4 days, 1 hour ago
YES NO YES
upvoted 1 times
...
YesPlease
3 weeks, 2 days ago
Anonymous IP applies to "Sign-in Risk Policy" ONLY Yes - User1 is not a member of Group2, so they are not affected by Group2 Sign-in Policy and can sign in No - User2 is a member of Group2 and does not have MFA enabled, so they are blocked from sign-in Yes - User3 is a member of Group2 and has MFA, so they can login
upvoted 1 times
...
enklau
5 months ago
i'll go with yes no yes, as they assume that user1/3 are already logged in the scope of the policy, so the user-risk policy has nothing to do with anonimous ips
upvoted 1 times
...
emartiy
11 months, 3 weeks ago
Definitely YES NO YES.. 1) Yes- ---User1 is not member Group2. So, when User1 login via Anonymous IP User Sign-in policy isn't applied for this user and can login without any interrupt. 2) No- ---User2 is member of Group2 which is Risky sing-in policy applied due to login via Anonymous IP and User2 MFA disabled which related policy asks for but user2 won't be able to complete for sign-in. 3) Yes- ---User3 is member of Group2 which is Risky sing-in policy applied due to login via Anonymous IP and User3's MFA is enabled and in use. So, this user can continue with MFA once it asked by the Risky sign-in policy.. Note: User Risky Policy works based on Leaked credentials and Azure AD threat intelligence according to on user risk level. Check Microsoft Learn for more info. Note2: Risky Sign-in Policy works based on Anonymous IP address Atypical travel, Malware, linked IP address, Unfamiliar sign-in properties, Leaked credentials, and Password spray. It triggered according to each login attempt's source, method etc.
upvoted 2 times
...
MatExam
1 year, 1 month ago
All seems correct about what is said for user 1 and 3, But I don't agree on user 2.... User 2 has the status disabled, this simply means MFA is not enforced, but it can still be used. To quote MS: "When the MFA status is disabled, it means that the user is not required to provide additional authentication beyond their password to access their account. However, it is possible that MFA is still being used in some capacity, such as for certain applications or services." Disabled only means the user is not enrolled in per-user MFA, but it doesn't mean MFA is not configured... https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates So answer "should" be Y-Y-Y... but you neven know what MS is after so it is always a gamble.. It is not like you can defend your answer.
upvoted 2 times
MatExam
1 year, 1 month ago
Even more, if the user-risk policy would hit user 1, then the user would remediate, SSPR would kick in which also requires MFA. Since the status is "enabled" it means no MFA method is registered, for sure, so remediation would not work... In contrast with user2, which has status "disabled" you don't know if there is a method registered or not... so this is in ways Shrodingers User :D
upvoted 1 times
...
...
BenLam
1 year, 4 months ago
Even the reference provided in the answer says sign in risk prompts for MFA if configured which it is. So its YNY
upvoted 1 times
...
EmnCours
1 year, 7 months ago
Yes No Yes
upvoted 2 times
...
dule27
1 year, 9 months ago
Yes No Yes
upvoted 2 times
...
TomasValtor
1 year, 9 months ago
# 2 should be no Makes sure users are registered for Azure AD Multi-Factor Authentication. If a sign-in risk policy prompts for MFA, the user must already be registered for Azure AD Multi-Factor Authentication.
upvoted 1 times
...
Aquintero
2 years, 1 month ago
para mi la respuesta correcta es Yes, No, Yes
upvoted 1 times
...
jojoseph
2 years, 1 month ago
Yes No Yes
upvoted 1 times
...
jack987
2 years, 2 months ago
The correct answer is Yes - No - No I agree with zokaniedereenhet: User 3 is member of both group 1 and 2. Group 1 had blocking action. Block wins over grant so user can't login. https://danielchronlund.com/2018/11/23/how-multiple-conditional-access-policies-are-applied/
upvoted 2 times
jack987
2 years, 2 months ago
I had a mistake. The correct answer is Y-N-Y. I agree with existingname and 0byte. User 3 gets both policies, but only policy 2 is used for the anonymous IP, and he has MFA, so can login YES
upvoted 5 times
...
...
zokaniedereenhet
2 years, 2 months ago
I agree given answer (Y,N,N) is correct. User 3 is member of both group 1 and 2. Group 1 had blocking action. Block wins over grant so user can't login. https://danielchronlund.com/2018/11/23/how-multiple-conditional-access-policies-are-applied/
upvoted 3 times
Cepheid
2 years, 2 months ago
Block wins over grant. However, we're talking here about user and sign in risk policies. The questions concerns a sign in risk type. It should be Y,N,Y.
upvoted 4 times
purek77
2 years, 2 months ago
Come on guys - group 2 is for different policy (sign-in) - you can't even think about who should win here.
upvoted 3 times
...
...
...
[Removed]
2 years, 3 months ago
Given answer is correct!
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago