AZ-500 Question #40: Real Exam Question with Answer & Explanation

Submitted by jakub_pl· Mar 6, 2026Manage identity and access - Implement and manage Azure AD Identity Protection policies including user risk and sign-in risk policies with group inclusions and exclusions (Microsoft SC-300 / AZ-500)

Question

Hotspot Question You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table. You create and enforce an Azure AD Identity Protection user risk policy that has the following settings: - Assignment: Include Group1, Exclude Group2 - Conditions: Sign-in risk of Medium and above - Access: Allow access, Require password change For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Answer:

Explanation

The user risk policy applies to Group1 members but excludes Group2 members. User1 is in Group1 (not Group2), so when signing in from an unfamiliar location (which triggers medium or above risk), the policy applies and requires a password change - hence 'Yes'. User2 is in both Group1 and Group2, but since Group2 is explicitly excluded, the policy does NOT apply to User2, so no password change is required despite the anonymous IP risk. User3 is not in Group1 at all, so the policy's inclusion assignment never covers User3, meaning the malware-linked sign-in risk does not trigger the policy's password change requirement.

Topics

#Azure AD Identity Protection#User Risk Policy#Conditional Access#Group-based Policy Assignment

Community Discussion

No community discussion yet for this question.

Full AZ-500 Practice Browse All AZ-500 Questions