Your organization has a hybrid identity infrastructure with Microsoft Entra ID and on-premises Active Directory. You plan to implement Microsoft Entra ID Protection to detect and respond to identity risks. You need to ensure that risky sign-ins from anonymous IP addresses are automatically blocked, while still allowing legitimate users to self-remediate. What should you configure?
Conditional Access blocks sign-in, and user risk policy allows self-remediation.
Why this answer
Option C is correct because it combines a Conditional Access policy to block sign-ins from anonymous IP addresses with a user risk policy that allows legitimate users to self-remediate by performing a password change. This ensures that high-risk sign-ins are automatically blocked while users can still recover their accounts without administrative intervention.
Exam trap
The trap here is that candidates often confuse sign-in risk policies with user risk policies, or assume that a single policy can both block and remediate, when in fact two separate policies are needed to meet the requirements of automatic blocking and self-remediation.
How to eliminate wrong answers
Option A is wrong because a sign-in risk policy configured to block access for high risk does not specifically target anonymous IP addresses; it blocks based on the overall sign-in risk level, which may not automatically block all anonymous IP sign-ins. Option B is wrong because manual review and blocking via the Identity Protection dashboard does not provide automatic blocking and self-remediation; it requires ongoing administrative effort and does not meet the requirement for automated response. Option D is wrong because a user risk policy requiring a password change for high risk users addresses user compromise but does not block sign-ins from anonymous IP addresses; it only triggers remediation after a risk is detected, not preventing the initial risky sign-in.