Topic: AZ-500 topic 2 question 37

HOTSPOT -
Your network contains an on-premises Active Directory domain that syncs to an Azure Active Directory (Azure AD) tenant. The tenant contains the users shown in the following table.

The tenant contains the groups shown in the following table.

You configure a multi-factor authentication (MFA) registration policy that has the following settings:
✑ Assignments:
- Include: Group1
- Exclude: Group2
✑ Controls: Require Azure MFA registration
✑ Enforce Policy: On
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Re: AZ-500 topic 2 question 37

Answer is correct : Yes-No-Yes

Re: AZ-500 topic 2 question 37

the only exception here is User2 because it belongs to Group2 which is excluded in the Policy.

Yes - No - Yes

Re: AZ-500 topic 2 question 37

in exam today 53 q  5 casestudy -- no lab -- (in test center)

  • wydad
  • New member
  • Offline

Re: AZ-500 topic 2 question 37

there is any news questions, not listed in this dump ?

Re: AZ-500 topic 2 question 37

I am not sure about "MFA registration" and "during the user's next Azure AD authentication". For the next Azure AD authentication one should not conduct "MFA registration" again since he/she shoul already did the MFA registration.

Re: AZ-500 topic 2 question 37

Y = USER 1 IS ONLY ASSIGNED TO GROUP 1 WHICH ENFORCES MFA REGISTRATION.
N = USER 2 BELONGS TO, BOTH, GROUP 1 AND 2 WHICH IS EXCLUDED. WHEN THERE IS A CONFLICT THE EXCLUSION WINS OUT.
Y = USER 3 BELONGS SOLELY TO GROUP 1 AS DOES USER 1 AND WILL NEED TO REGISTER WITH MFA DO TO THE ENFORECMENT.

Re: AZ-500 topic 2 question 37

isn't user three bieng in differeing onprem active directory? hence AAD MFA would not apply to him? hence third option is NO

Re: AZ-500 topic 2 question 37

YES
NO
YES

Re: AZ-500 topic 2 question 37

YNY is the answer.

https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy#policy-configuration
Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.

Re: AZ-500 topic 2 question 37

YES
NO
YES

Re: AZ-500 topic 2 question 37

f a user (User B) is a member of two groups in Azure AD (Group 1 and Group 2), and an MFA policy is enforced only for Group 1, while Group 2 is excluded, the following will occur when User B logs on:

If User B attempts to access a resource that is protected by the MFA policy and they are accessing the resource as a member of Group 1, they will be prompted to perform MFA.

If User B attempts to access a resource that is not protected by the MFA policy, or if they are accessing the resource as a member of Group 2, they will not be prompted to perform MFA.

In other words, the MFA policy will only apply to User B when they access resources as a member of Group 1. When accessing resources as a member of Group 2, the user will not be required to perform MFA.  In this case, Group 2 user is accessing resources which excluded for MFA... I am satisfied with answer Yes, No, Yes

Re: AZ-500 topic 2 question 37

The magic statement is "Require mfa REGISTRATION"

Re: AZ-500 topic 2 question 37

Yes - No _ Yes is correct answer.

Re: AZ-500 topic 2 question 37

## On today's exam 03/12/2022 ##

Re: AZ-500 topic 2 question 37

Hey look at that...they got it right!

Re: AZ-500 topic 2 question 37

For a change...

  • CJ32
  • New member
  • Offline

Re: AZ-500 topic 2 question 37

YES - NO - YES
Exclusion takes precedence over inclusion

Re: AZ-500 topic 2 question 37

On today's exam 06/01/22

Re: AZ-500 topic 2 question 37

correct answer