Table of Contents
What Types of Risk Does Azure AD Identity Protection Detect for Users and Sign-ins?
Get a clear explanation of how Azure AD Identity Protection evaluates risk for AZ-500 exam. Understand the difference between user risk and sign-in risk policies and the signals used for detection, such as leaked credentials, anonymous IPs, and atypical travel.
Question
Microsoft Azure AD Identity Protection evaluates risk associated with:
A. users and sign-ins
B. users
C. users and devices
D. users, sign-ins, and devices.
Answer
A. users and sign-ins
Explanation
Azure AD Identity Protection evaluates risk associated to users and sign-in attempts.
The correct answer is A. Azure AD Identity Protection is designed to detect and remediate identity-based risks by focusing specifically on two key areas: user risk and sign-in risk.
Azure AD Identity Protection Core Concepts
Azure AD Identity Protection uses signals from various sources, including Microsoft’s internal and external threat intelligence, to calculate a risk level for each user and sign-in attempt. This automation helps organizations respond to potential identity compromises.
User Risk
User risk represents the probability that a specific user account has been compromised. This is a persistent assessment of the user’s identity based on their historical activity and known threats. A user’s risk level can be low, medium, or high.
- Detection Signals: Signals that contribute to user risk include leaked credentials found on the dark web, sign-ins from IPs associated with password spray attacks, or other behavior that suggests the user’s credentials are no longer secure.
- Policy Enforcement: A user risk policy can be configured to trigger actions when a user’s risk level reaches a certain threshold. For example, a high-risk user could be required to perform multi-factor authentication (MFA) and reset their password.
Sign-in Risk
Sign-in risk represents the probability that a specific authentication request is not authorized by the legitimate user. This is a real-time assessment of an individual login attempt.
- Detection Signals: Signals that contribute to sign-in risk include attempting to sign in from an anonymous IP address, atypical travel (signing in from geographically distant locations in a short time), a malware-linked IP address, or from an unfamiliar location or device.
- Policy Enforcement: A sign-in risk policy can enforce controls on a suspicious login attempt. For instance, a medium or high-risk sign-in can be blocked or challenged with MFA before access is granted.
Why Other Options Are Incorrect
While device information is a critical part of Azure’s overall security posture, it is not a primary risk category evaluated directly by Identity Protection. Instead, device state (e.g., compliance status managed by Intune) is often used as a condition within Conditional Access policies. A sign-in from a non-compliant device can be a signal that contributes to the sign-in risk score, but “device risk” itself is not a distinct category that Identity Protection calculates alongside user and sign-in risk. Therefore, options C and D are incorrect.
Microsoft Certified Azure Security Engineer Associate AZ-500 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft Certified Azure Security Engineer Associate AZ-500 exam and earn Microsoft Certified Azure Security Engineer Associate AZ-500 certification.