your organization has a Microsoft 365 tenant that contains the following users.
You configure an Azure AD Identity Protection sign-in risk policy with the following settings:
- Assigned to Group1 and excludes Group2.
- Only apply if the user risk level is medium or above.
- If the user risk level is medium or above allow access but require a password change.
The risk level for each user is shown below.
Which users will be required to change their password?
User1 will be required to change his password
User1 is in Group1 which the policy applies.
User2 will not be required to change his password
User2 is in Group2 which is excluded from the policy.
User3 will not be required to change his password
User3 is in Group1 which is included in the policy but is also in Group2 which is excluded from the policy. In this case, the exclusion wins so the policy does not apply to User3.