AZ-500 Question #223: Real Exam Question with Answer & Explanation

Question

You have an Azure subscription linked to an Azure Active Directory Premium Plan 1 tenant. You plan to implement Azure Active Directory (Azure AD) Identity Protection. You need to ensure that you can configure a user risk policy and a sign-in risk policy. What should you do first?

Options

• APurchase Azure Active Directory Premium Plan 2 licenses for all users.
• BRegister all users for Azure Multi-Factor Authentication (MFA).
• CEnable security defaults for Azure AD.
• DUpgrade Azure Security Center to the standard tier.

Explanation

Explanation

Azure AD Identity Protection - including the ability to configure user risk policies and sign-in risk policies - is a feature exclusive to Azure Active Directory Premium Plan 2 (P2). Since the tenant is currently on Premium Plan 1, upgrading to P2 licenses for all users is the necessary first step before these policies can be configured.

Why the distractors are wrong:

• B (Register users for MFA): While MFA is used as a remediation action within Identity Protection policies, you cannot even configure those policies without P2 licenses - MFA registration alone doesn't unlock the feature.
• C (Enable security defaults): Security defaults provide basic, pre-configured security settings for free-tier tenants, but they actually conflict with conditional access and do not enable Identity Protection risk policies.
• D (Upgrade Security Center): Azure Security Center (now Microsoft Defender for Cloud) is a separate service focused on infrastructure/workload protection and has no bearing on enabling Azure AD Identity Protection features.

Memory Tip 🧠

Think of it as a license ladder: Free → P1 → P2. Identity Protection risk policies sit at the very top rung (P2 only), so before configuring anything, you must climb to that level first. If a question mentions risk policies, think P2 immediately.

No community discussion yet for this question.