AZ-500 Question #313: Real Exam Question with Answer & Explanation

Question

You have been tasked with applying conditional access policies for your company's current Azure Active Directory (Azure AD). The process involves assessing the risk events and risk levels. Which of the following is the risk level that should be configured for sign ins that originate from IP addresses with dubious activity?

Options

• ANone
• BLow
• CMedium
• DHigh

Explanation

Medium is the correct risk level for sign-ins originating from IP addresses with suspicious or dubious activity because Azure AD Identity Protection specifically classifies "anonymous IP address" sign-ins (e.g., Tor browsers, VPNs, and known malicious IP ranges) as Medium risk - the activity is suspicious enough to warrant attention, but not definitively confirmed as compromised.

Why the distractors are wrong:

• A (None) is incorrect because flagged IP addresses clearly represent a potential threat and should not be ignored.
• B (Low) understates the risk - Low is reserved for minor anomalies like atypical travel patterns with limited threat indicators.
• D (High) is reserved for the most severe indicators, such as leaked credentials, impossible travel, or malware-linked IP addresses - a step above suspicious IPs.

Memory tip: Think of suspicious IPs as a "yellow flag" - concerning but not confirmed - which maps to Medium. High risk is the "red flag" (e.g., your password is on the dark web), while Low risk is a "heads-up" nudge. Dubious = Doubtful = Medium.

No community discussion yet for this question.