Exam SC-300 topic 2 question 46 discussion

N N N User 1 No The User Risk = Low. Then User risk policy blocked access. User 2 No The Sign-in Risk = Unknown. But it is Confirm Safe so we can ignore this. The User risk = Medium. The user risk policy block access. User 3 No User 3 User Risk is dismissed, but anonymous IP address risk (this is Sign-in Risk) is still at High level. Hence the sign-in risk policy blocked the access. https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#nonpremium-sign-in-risk-detections

User1 can sign in by using multi-factor authentication (MFA): No - Blocked access prevents self-remediation through password resets & Azure AD MFA User2 can sign in by using multi-factor authentication (MFA): No - Blocked access prevents self-remediation through password resets & Azure AD MFA User3 can sign in from an anonymous IP address: Yes - Anonymous IP address sign-in risk is Medium

No. Compromised user1, regardless of risk level. No. Compromised user2, regardless of risk level. No.User 3, High sign-in risk due to anonymous IP, even with dismissed user risk.

No No No Made a High Risk Sign policy that block access. Tried to login from TOR browser with two different accounts. Error message: You cannot access this right now Your sign-in was successful, but does not meet the criteria to access this resource. For example, you might be signing in from a browser, app or location that is restricted by your admin. Anonymous IP address Calculated in real-time. This risk detection type indicates sign-ins from an anonymous IP address (for example, Tor browser or anonymous VPN). These IP addresses are typically used by actors who want to hide their sign-in information (IP address, location, device, and so on) for potentially malicious intent. https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address

User1 can sign in by using multi-factor authentication (MFA): No - Blocked access prevents self-remediation through password resets & Azure AD MFA User2 can sign in by using multi-factor authentication (MFA): No - Blocked access prevents self-remediation through password resets & Azure AD MFA User3 can sign in from an anonymous IP address: Yes - Anonymous IP address sign-in risk is Medium + User 3 has the following action performed on his account : "Dismiss User Risk"

No, No, Yes User1: The User Risk Policy for User1 specifies the User Risk as "Low and above" and the control as "Block Access". Therefore, User1 would not be allowed to sign in even via multi-factor authentication (MFA) since the policy is set to block access. User2: The User Risk Policy for User2 specifies the User Risk as "Low and above" and once the user is confirmed compromised, the policy as "Block Access" applies. Hence, User2 would not be allowed to sign in even via MFA after being confirmed as compromised. User3: The User Risk for User3 is dismissed. This means User3 can sign in from any location including anonymously. In case the Sign-in Risk becomes High, then User3 would not be allowed to sign in as per the Sign-in Risk Policy.

1. User1 can sign in by using multi-factor authentication (MFA). - No: User1's status is "Confirm user compromised," so access is blocked. 2. User2 can sign in by using multi-factor authentication (MFA). - No: User2's status is "Confirm sign-in safe," which means their access is allowed without MFA. 3. User3 can sign in from an anonymous IP address. - Yes: User3's status is "Dismiss user risk," and there's no mention of IP restrictions, so they can sign in from an anonymous IP address.

N N Y

Box 1: No - User canNOT sign in. The status is "Confirm user compromised". Upon receiving this feedback, we move the sign-in and user risk state to Confirmed compromised and risk level to High. Box 2: No - User can sign in. The status is "Confirm sign-in safe". Upon receiving this feedback, we move the sign-in (not the user) risk state to Confirmed safe and the risk level to None. BUT the last line says "Confirm user compromised". If the user is already remediated, don't select Confirm compromised because it moves the sign-in and user risk state to Confirmed compromised and risk level to High. Box 3: Yes - User CAN sign in A Dismiss user risk on the user level closes the user risk and all past risky sign-ins and risk detections.

My thoughts User 1 - No User Risk Action is "Confirm user compromised" User 2 - Yes User risk action is "Confirmed sign-in safe" Upon receiving Confirm Safe dfeedback Identity Pritection sets Risk Level to None - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/troubleshooting-identity-protection-faq#how-do-the-feedback-mechanisms-in-identity-protection-work User 3 - Yes User Risk action is "Dismiss user risk" so this is good. What level of Sign-in risk is assigned to Anonymous IP is not known, but I'm guessing that this should not be High "Microsoft doesn't provide specific details about how risk is calculated." https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection#risk-levels

No No Yes

NO - User1 is now at High risk level after confirming user is compromised. Then User risk policy blocked access. NO - Sign-in of User 2 is safe. So we can bypass Sign-in risk policy Risk level of User2 is High due to the last action, so User risk policy block the access YES - User3 has "Dismiss risk User" so User Risk policy is bypassed. anonymous IP address is a risk, but context is missing to know if it's considered as an high risk. Maybe it's an outdated question when there were fix values defined by Microsoft for risk type. Anonymous IP was ranked as medium. Now we don't know how Microsoft calculates the risk level. https://www.rebeladmin.com/2020/11/step-by-step-guide-how-to-configure-sign-in-risk-based-azure-conditional-access-policies/

the user risk policy is block access N N Y