Exam SC-300 topic 2 question 46 discussion

N N N User 1 No The User Risk = Low. Then User risk policy blocked access. User 2 No The Sign-in Risk = Unknown. But it is Confirm Safe so we can ignore this. The User risk = Medium. The user risk policy block access. User 3 No User 3 User Risk is dismissed, but anonymous IP address risk (this is Sign-in Risk) is still at High level. Hence the sign-in risk policy blocked the access. https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#nonpremium-sign-in-risk-detections

User1 can sign in by using multi-factor authentication (MFA): No - Blocked access prevents self-remediation through password resets & Azure AD MFA User2 can sign in by using multi-factor authentication (MFA): No - Blocked access prevents self-remediation through password resets & Azure AD MFA User3 can sign in from an anonymous IP address: Yes - Anonymous IP address sign-in risk is Medium

NO NO YES

From what I learned/tested and read from the comments, I think : User 1 : No, because it was flagged comprised so it is blocked by the User risk policy User 2 : No, for the same reason, the sign-in risk was dismissed but the user risk was flagged compromised, so it is blocked by the User risk policy User 3 : Yes, it was initially a high risk user, but the risk was dismissed by the admin. It is now safe from being blocked by the User risk policy. Connecting from anonymous IP address represent a sign-in risk, I was not able to find if it is medium or high, I think it might depends on the IP ? If it is medium, then sign in is allowed because the Sign-in risk policy only blocks high-risk sign-ins. https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks Here's an interesting article on how to simulate risk https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-simulate-risk

User1: No, because the User Risk Policy blocks all users with Low risk and above, even if MFA is available. User2: No, because User2 is marked as compromised and the User Risk Policy blocks Medium risk and above. User3: No, because the User Risk Policy already blocks them based on their previous High risk status, and their risk was only dismissed, not cleared for access. Even if User3's user risk was dismissed, their sign-in risk from an anonymous IP would likely be categorized as High. Since the Sign-in Risk Policy blocks High sign-in risk, User3 would still be blocked when trying to sign in from an anonymous IP.

N N Y In Azure, sign-ins from anonymous IP addresses (such as those using Tor browsers or anonymous VPNs) are considered a medium sign-in risk.

No. Compromised user1, regardless of risk level. No. Compromised user2, regardless of risk level. No.User 3, High sign-in risk due to anonymous IP, even with dismissed user risk.

No No No Made a High Risk Sign policy that block access. Tried to login from TOR browser with two different accounts. Error message: You cannot access this right now Your sign-in was successful, but does not meet the criteria to access this resource. For example, you might be signing in from a browser, app or location that is restricted by your admin. Anonymous IP address Calculated in real-time. This risk detection type indicates sign-ins from an anonymous IP address (for example, Tor browser or anonymous VPN). These IP addresses are typically used by actors who want to hide their sign-in information (IP address, location, device, and so on) for potentially malicious intent. https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address

User1 can sign in by using multi-factor authentication (MFA): No - Blocked access prevents self-remediation through password resets & Azure AD MFA User2 can sign in by using multi-factor authentication (MFA): No - Blocked access prevents self-remediation through password resets & Azure AD MFA User3 can sign in from an anonymous IP address: Yes - Anonymous IP address sign-in risk is Medium + User 3 has the following action performed on his account : "Dismiss User Risk"

No, No, Yes User1: The User Risk Policy for User1 specifies the User Risk as "Low and above" and the control as "Block Access". Therefore, User1 would not be allowed to sign in even via multi-factor authentication (MFA) since the policy is set to block access. User2: The User Risk Policy for User2 specifies the User Risk as "Low and above" and once the user is confirmed compromised, the policy as "Block Access" applies. Hence, User2 would not be allowed to sign in even via MFA after being confirmed as compromised. User3: The User Risk for User3 is dismissed. This means User3 can sign in from any location including anonymously. In case the Sign-in Risk becomes High, then User3 would not be allowed to sign in as per the Sign-in Risk Policy.

1. User1 can sign in by using multi-factor authentication (MFA). - No: User1's status is "Confirm user compromised," so access is blocked. 2. User2 can sign in by using multi-factor authentication (MFA). - No: User2's status is "Confirm sign-in safe," which means their access is allowed without MFA. 3. User3 can sign in from an anonymous IP address. - Yes: User3's status is "Dismiss user risk," and there's no mention of IP restrictions, so they can sign in from an anonymous IP address.

N N Y

Box 1: No - User canNOT sign in. The status is "Confirm user compromised". Upon receiving this feedback, we move the sign-in and user risk state to Confirmed compromised and risk level to High. Box 2: No - User can sign in. The status is "Confirm sign-in safe". Upon receiving this feedback, we move the sign-in (not the user) risk state to Confirmed safe and the risk level to None. BUT the last line says "Confirm user compromised". If the user is already remediated, don't select Confirm compromised because it moves the sign-in and user risk state to Confirmed compromised and risk level to High. Box 3: Yes - User CAN sign in A Dismiss user risk on the user level closes the user risk and all past risky sign-ins and risk detections.

My thoughts User 1 - No User Risk Action is "Confirm user compromised" User 2 - Yes User risk action is "Confirmed sign-in safe" Upon receiving Confirm Safe dfeedback Identity Pritection sets Risk Level to None - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/troubleshooting-identity-protection-faq#how-do-the-feedback-mechanisms-in-identity-protection-work User 3 - Yes User Risk action is "Dismiss user risk" so this is good. What level of Sign-in risk is assigned to Anonymous IP is not known, but I'm guessing that this should not be High "Microsoft doesn't provide specific details about how risk is calculated." https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection#risk-levels

No No Yes

NO - User1 is now at High risk level after confirming user is compromised. Then User risk policy blocked access. NO - Sign-in of User 2 is safe. So we can bypass Sign-in risk policy Risk level of User2 is High due to the last action, so User risk policy block the access YES - User3 has "Dismiss risk User" so User Risk policy is bypassed. anonymous IP address is a risk, but context is missing to know if it's considered as an high risk. Maybe it's an outdated question when there were fix values defined by Microsoft for risk type. Anonymous IP was ranked as medium. Now we don't know how Microsoft calculates the risk level. https://www.rebeladmin.com/2020/11/step-by-step-guide-how-to-configure-sign-in-risk-based-azure-conditional-access-policies/

the user risk policy is block access N N Y