Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsAZ-500DomainsSecure identity and access
AZ-500Free — No Signup

Secure identity and access

Practice AZ-500 Secure identity and access questions with full explanations on every answer.

130questions

Start practicing

Secure identity and access — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

AZ-500 Domains

Secure identity and accessSecure compute, storage, and databasesSecure Azure using Microsoft Defender for Cloud and Microsoft SentinelManage identity and accessSecure networking

Practice Secure identity and access questions

10Q20Q30Q50Q

All AZ-500 Secure identity and access questions (130)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

Your organization uses Microsoft Entra ID for identity management. You need to ensure that users can sign in using a one-time passcode sent to their mobile device, without requiring any additional app or software installation. Which authentication method should you enable?

2

Your company has a Microsoft Entra ID tenant and uses Azure AD Application Proxy to publish on-premises web apps. Users report that they are prompted for their password every time they access the app, even though they selected 'Keep me signed in'. You need to improve the sign-in experience without compromising security. What should you configure?

3

Your organization is implementing a zero-trust security model using Microsoft Entra ID. You need to ensure that all access requests to sensitive applications are evaluated in real-time based on user behavior and device posture before granting access. Which Microsoft Entra ID feature should you use?

4

You are configuring a conditional access policy to block access from untrusted locations. The policy should apply to all cloud apps except Microsoft Entra ID Administration. How should you configure the policy?

5

Your company uses Microsoft Entra ID Governance features for access reviews. You need to ensure that guest users who do not sign in for 90 days are automatically removed from access to a critical application. The removal should happen without manual intervention. What should you configure?

6

Your organization uses Microsoft Entra ID to manage access for employees and partners. You need to implement a solution that allows partners to self-service request access to specific applications, with approval from their manager, and access expires after 30 days. Which feature should you use?

7

You are troubleshooting why a user cannot sign in to a custom line-of-business application that is federated with Microsoft Entra ID. The user reports that they are repeatedly prompted for credentials and then receive an error. The application is configured for SAML-based SSO. What is the most likely cause?

8

Your company has a Microsoft Entra ID tenant with 10,000 users. You need to implement a secure authentication method that reduces password-related risks. The solution must support users signing in from unmanaged devices without installing any software. Which authentication method should you prioritize?

9

Your organization uses Microsoft Entra ID and has a hybrid identity setup with password hash synchronization. You need to implement a solution that detects password changes on-premises and forces re-authentication for active sessions within minutes. Which feature should you enable?

10

Which TWO of the following are valid configurations for Microsoft Entra ID Conditional Access policies?

11

Which THREE of the following are capabilities of Microsoft Entra ID Protection?

12

Which TWO of the following are authentication methods supported by Microsoft Entra ID?

13

Refer to the exhibit. You are analyzing a Conditional Access policy JSON. The policy requires MFA for Office 365 applications. However, users report that they are still able to access Office 365 without MFA. What is the most likely reason?

14

Refer to the exhibit. You are reviewing the output of the Get-AzureADGroup PowerShell cmdlet. You need to create a Conditional Access policy that dynamically includes users based on their department attribute set to 'Finance'. Which group should you use in the policy?

15

Refer to the exhibit. You are configuring an Entitlement Management access package. The policy allows any existing user to request access without approval, and access expires after 30 days. However, security requirements dictate that all access to Finance applications must be reviewed by the finance team manager every quarter. What should you add to the policy?

16

Your organization uses Microsoft Entra ID for identity management. You need to prevent users from using their work accounts to access corporate resources from untrusted locations unless they have registered their devices. Which conditional access policy setting should you configure?

17

You are implementing Microsoft Entra ID Protection. You need to detect and respond to risky user behaviors such as leaked credentials and anonymous IP address usage. Which feature should you enable?

18

Your company deploys Microsoft Sentinel for security operations. You need to configure just-in-time (JIT) access for Azure VMs. Which Azure security feature should you integrate with Sentinel?

19

You are designing a secure access solution for an Azure App Service web application. The application uses Microsoft Entra ID for authentication. You need to ensure that only users from specific partner organizations can access the app. Which configuration should you use?

20

Your organization uses Microsoft Intune for mobile device management. You need to implement a conditional access policy that only allows access to corporate email from devices that are enrolled in Intune and compliant with security policies. However, the policy is not working for some users who report that they cannot access email even though their devices are compliant. You discover that the users have multiple devices and are signing in from a device that is not enrolled. What should you do?

21

Your company is implementing a zero-trust security model. You need to ensure that all access to cloud applications is continuously verified based on user identity, device health, and location. Which combination of Microsoft security solutions should you use?

22

You are configuring Microsoft Entra ID Connect to synchronize on-premises Active Directory identities to the cloud. You need to ensure that password hashes are synchronized to enable Microsoft Entra ID Password Protection and Identity Protection. Which option should you enable?

23

Your organization uses Microsoft Entra ID and wants to provide external partners with access to a specific SharePoint Online site. You need to ensure that partners authenticate using their own corporate credentials (SAML/WS-Fed) and that access is automatically revoked when the partner's account is disabled. Which solution should you use?

24

Refer to the exhibit. A Microsoft Entra ID Conditional Access policy is defined as shown. You observe that the policy is blocking all users from accessing email via Exchange ActiveSync, but users can still access email via Outlook for iOS. What is the most likely reason?

25

Which TWO actions should you perform to implement Microsoft Entra ID Password Protection for an on-premises Active Directory environment? (Choose two.)

26

Which THREE conditions can be used in a Microsoft Entra ID Conditional Access policy to control access based on sign-in risk? (Choose three.)

27

Which TWO features are available in Microsoft Entra ID Privileged Identity Management (PIM) for managing Azure AD roles? (Choose two.)

28

Which THREE Microsoft Entra ID roles can be assigned to a user to manage Microsoft Defender XDR (formerly Microsoft 365 Defender) incidents? (Choose three.)

29

Refer to the exhibit. You are configuring a PIM role setting for an Azure AD role. The exhibit shows the activation settings. A user activates the role and provides a justification. An approver from the Security Team does not see any pending requests. What is the most likely reason?

30

Refer to the exhibit. You run the PowerShell cmdlet Get-AzureADPolicy for a tenant. Based on the output, what is the access token lifetime for this policy?

31

You manage a Microsoft Entra ID tenant for a multinational company. Users in the European office report that they cannot access the company's custom line-of-business application during peak hours, while users in the US office have no issues. The application uses OAuth 2.0 authentication with Conditional Access policies applied. What is the most likely cause?

32

Your organization uses Microsoft Entra ID with Privileged Identity Management (PIM) to manage roles. You need to ensure that when a user activates a role, the activation is automatically approved only if the user's manager approves within 30 minutes. If the manager does not respond, the activation is denied. What configuration should you implement?

33

You are a security engineer for a company that uses Microsoft Entra ID. You need to ensure that all users accessing the company's Salesforce application from unmanaged devices are prompted for multi-factor authentication (MFA) every time. What should you configure?

34

Your organization has a Microsoft Entra ID tenant with 50,000 users. You are designing a solution to automatically revoke access for users who have not signed in for 90 days. The solution must be cost-effective and use built-in Microsoft Entra ID features. What should you do?

35

Your company uses Microsoft Entra ID and Microsoft Intune for mobile device management. You need to ensure that only devices that are compliant with your security policies can access Exchange Online. The solution must require users to reauthenticate every 12 hours. What should you configure?

36

You need to assign the 'Security Administrator' role in Microsoft Entra ID to a user named User1. The role assignment must be eligible, and User1 must provide a justification when activating the role. What should you use?

37

Your organization uses Microsoft Entra ID and has several applications registered. You need to ensure that only specific applications can call a particular web API. The web API is also registered in Microsoft Entra ID. What should you configure?

38

Your company uses Microsoft Entra ID and Microsoft Sentinel. You need to detect when a user account is created outside of normal business hours (9 AM - 5 PM local time) and automatically suspend the account. What should you use?

39

You need to ensure that external users who are invited to collaborate via Microsoft Entra B2B can only access the applications assigned to them. Which configuration should you use?

40

Your organization uses Microsoft Entra ID. You need to recommend solutions to reduce the risk of privileged role abuse. Which TWO actions should you recommend? (Choose two.)

41

Your company has a Microsoft Entra ID tenant with 10,000 users. You need to implement a secure authentication strategy that satisfies the following requirements: - Users must not be able to bypass security verification using alternate authentication methods. - Passwordless authentication should be used where possible. - Legacy authentication protocols must be blocked. Which THREE actions should you take? (Choose three.)

42

Your organization uses Microsoft Entra ID and has a hybrid identity with Microsoft Entra Connect. You need to ensure that all user password changes and resets are synchronized to the cloud within 30 minutes. Which TWO actions should you take? (Choose two.)

43

Refer to the exhibit. You are creating a custom Azure RBAC role for a security analyst. The role as shown allows read access to storage accounts. The analyst reports that they cannot read the contents of a blob container in a storage account. Why is this?

44

Refer to the exhibit. You are reviewing user sign-in activity using Microsoft Graph API. The user has not performed an interactive sign-in since December 1, but had a non-interactive sign-in on December 5. You need to determine if the user should be considered inactive for a policy that defines inactivity as no interactive sign-in for 30 days. Today is December 15. What should you do?

45

Refer to the exhibit. You are reviewing a Conditional Access policy in Microsoft Entra ID. What is the effect of this policy?

46

Your company uses Microsoft Entra ID with a hybrid identity model. You need to implement a solution that allows you to block legacy authentication attempts while still allowing modern authentication protocols. What should you use?

47

You are designing a Microsoft Entra ID tenant for a multinational organization. The security team requires that all administrative users must use phishing-resistant MFA. Administrators are located in different regions and may use different devices. Which MFA method should you enforce?

48

Your organization uses Microsoft Entra ID. You need to ensure that users can reset their own passwords without contacting IT. Which feature should you enable?

49

Your company uses Microsoft Entra ID and Microsoft Intune for mobile device management. You need to ensure that only devices that are compliant with your security policies can access corporate email. You configure a Conditional Access policy targeting Exchange Online. Which grant control should you use?

50

You are troubleshooting an issue where users are unable to access a sensitive application protected by a Conditional Access policy. The policy requires MFA from trusted locations, but users are reporting that they are prompted for MFA even when connecting from the corporate office, which is defined as a trusted location. What is the most likely cause?

51

Your organization uses Microsoft Entra ID. The security team wants to ensure that users cannot reuse the last five passwords. Which feature should you configure?

52

Your company uses Microsoft Entra ID and has Microsoft Defender for Cloud Apps. You need to monitor and control access to cloud apps based on user behavior. Which feature should you use?

53

Your organization uses Microsoft Entra ID with Privileged Identity Management (PIM). You need to ensure that all privileged role activations are approved by a manager and require a ticket number. What should you configure in PIM?

54

Your company uses Microsoft Entra ID. You need to block sign-ins from countries where your company does not operate. Which approach should you use?

55

Which TWO of the following are methods to enforce MFA in Microsoft Entra ID?

56

Which THREE of the following can be used to provide just-in-time (JIT) privileged access to Azure resources?

57

Which TWO of the following are valid authentication methods in Microsoft Entra ID?

58

Refer to the exhibit. A Conditional Access policy is configured to block legacy authentication for Office 365. However, users are still able to access Exchange Online using Outlook (modern authentication). What is the most likely reason?

59

Refer to the exhibit. A user is eligible for a role in PIM. When they activate the role, how long will the activation last?

60

Refer to the exhibit. You run the command and see the output. What does the UserType 'Member' indicate?

61

Your organization is using Microsoft Entra ID Conditional Access to enforce MFA for all external users. A partner company reports that their users are prompted for MFA every time they access your resources, even though they already authenticated in their home tenant. What should you configure to reduce repeated prompts?

62

You are designing a privileged access strategy for Microsoft Entra ID. Your organization requires that all users who are assigned to the Global Administrator role must perform a privileged elevation only when needed, and the elevation must be approved by a security officer. Which feature should you implement?

63

You are a security engineer for a company that uses Microsoft Entra ID. You need to implement a solution that automatically blocks sign-ins from users detected as compromised credentials. The solution should work in real-time and require no manual intervention. What should you use?

64

Your organization uses Microsoft Entra ID to manage identities. You need to ensure that users can reset their own passwords without help desk intervention, but they must register for self-service password reset (SSPR) first. Which configuration is required?

65

You are troubleshooting a sign-in issue. A user reports that they are repeatedly prompted for authentication when accessing a cloud app, even though they already authenticated earlier in the day. You check the Conditional Access policy and see that 'Session control - Sign-in frequency' is set to 1 hour. What is the most likely cause?

66

Your organization uses Microsoft Entra ID and requires that all accesses to sensitive applications be approved by the application owner. You need to implement a solution where users can request access to these applications, and the request is automatically routed to the owner for approval. What should you configure?

67

You need to grant a user the ability to reset passwords for all users in the finance department. The finance department users are in a specific organizational unit (OU) in on-premises Active Directory, which syncs to Microsoft Entra ID. What is the most secure way to delegate this?

68

Your organization uses Microsoft Entra ID. You need to ensure that users accessing internal applications from unmanaged devices are required to use Microsoft Edge with specific security configurations. Which Conditional Access control should you use?

69

You are implementing a B2B collaboration solution in Microsoft Entra ID. You need to ensure that external users from a partner tenant can access your internal applications, but they must use MFA from their home tenant. The partner tenant does not support MFA. What should you do?

70

Which TWO of the following are valid methods to authenticate users in Microsoft Entra ID?

71

Which TWO of the following are capabilities of Microsoft Entra ID Protection?

72

Which THREE of the following are required to configure Microsoft Entra ID self-service password reset (SSPR)?

73

You have configured the Conditional Access policy shown in the exhibit. Users report that they can still access Exchange Online using legacy authentication protocols. What is the most likely reason?

74

You executed the PowerShell script shown in the exhibit. What is the result?

75

You executed the PowerShell script shown in the exhibit to set a token lifetime policy for an application. What is the effect on users accessing the application?

76

Your company uses Microsoft Entra ID with P2 licenses. You need to implement a policy that automatically revokes access for users who are detected as high risk by Microsoft Entra ID Protection. The policy must allow users to self-remediate by performing MFA. What should you configure?

77

Your organization uses Microsoft Entra ID and plans to deploy Microsoft Copilot for Security. You need to ensure that Copilot's access to security data is governed by the principle of least privilege and that usage is auditable. What should you implement?

78

Users report that they are prompted for MFA every time they sign in, even on trusted devices. You need to reduce the frequency of MFA prompts while maintaining security. What should you configure?

79

Refer to the exhibit. You are creating a custom role in Microsoft Entra ID. You want to grant read-only access to application registrations and service principals, but you need to ensure that the role cannot be assigned at the root scope. What change is required?

80

Your company uses Microsoft Entra ID with a third-party identity provider (IdP) for federation. Users report that sometimes they are unable to sign in even though the IdP is healthy. You suspect the issue is related to token signing certificate rotation. What should you do to resolve this proactively?

81

You need to ensure that external users who are invited to your Microsoft Entra ID tenant via B2B collaboration can only access a specific SaaS application. What should you configure?

82

Your organization uses Microsoft Entra ID P2 and Microsoft Defender for Cloud Apps. You want to detect and block sign-ins from non-compliant devices to a critical SaaS application. The solution must work for both managed (Microsoft Intune enrolled) and unmanaged devices. What should you use?

83

Your company uses Microsoft Entra ID with a custom domain. You need to implement a solution that allows users to sign in using their social identity providers (e.g., Google, Facebook) but still enforce your organization's MFA policies. What should you configure?

84

You need to ensure that when a user's role in Microsoft Entra ID is changed (e.g., from User to Global Administrator), the change is approved by a manager before it takes effect. Additionally, you need to enforce just-in-time (JIT) access for that role. What should you use?

85

Your organization uses Microsoft Entra ID and wants to implement a secure passwordless authentication strategy. Which TWO solutions can be used natively in Microsoft Entra ID for passwordless sign-in?

86

You are designing a security baseline for Microsoft Entra ID. Which THREE settings are recommended by Microsoft as part of the identity security baseline?

87

Your company wants to implement a least-privilege model for administrative roles in Microsoft Entra ID. Which TWO features should you use?

88

Refer to the exhibit. A user's sign-in to Azure Portal failed MFA. The risk level is medium due to leaked credentials. Conditional Access was not applied. What is the most likely reason for MFA failure?

89

Refer to the exhibit. You are reviewing a custom Microsoft Entra role for an application developer. A developer reports that they cannot register an application even though they have the 'applications/create' permission. What is the most likely cause?

90

Your organization wants to ensure that users accessing Office 365 from outside the corporate network must use MFA. What is the most efficient way to enforce this?

91

Your organization uses Microsoft Entra ID for identity management. You need to ensure that users accessing sensitive data from unmanaged devices are required to use a compliant device. What should you configure?

92

Your company is migrating from on-premises Active Directory to Microsoft Entra ID. You need to synchronize user accounts and enable self-service password reset (SSPR) for cloud users. You have set up Microsoft Entra Connect Sync. Which additional configuration is required to allow password writeback for SSPR?

93

Your organization has Microsoft Entra ID P2 licenses. You want to automatically detect and respond to compromised identities by requiring MFA when a sign-in risk is medium or above. Which policy should you configure?

94

Your organization uses Microsoft Entra ID. You need to manage access to a line-of-business application that supports SAML 2.0. The application should be integrated as an enterprise application in Entra ID. What steps must you take?

95

Your company has Microsoft Entra ID and uses Azure Bastion for secure VM access. You need to ensure that only administrators with PIM-activated roles can access the Bastion host. What should you configure?

96

Your organization uses Microsoft Entra ID and needs to implement a policy that blocks all sign-ins from countries that are not approved. What should you configure?

97

You are designing a privileged identity management strategy for Microsoft Entra ID. You need to ensure that eligible role assignments require approval from a designated group before activation. What configuration is required?

98

Your organization has Microsoft Entra ID and uses Microsoft Copilot for Microsoft 365. You need to ensure that Copilot interactions are logged and accessible for security investigations. What should you configure?

99

You need to grant a group of users the ability to read Microsoft Entra ID sign-in logs in the Azure portal. Which role should you assign?

100

Which TWO actions should you take to implement a zero-trust identity model using Microsoft Entra ID? (Choose two.)

101

Which THREE components are part of Microsoft Entra Conditional Access? (Choose three.)

102

Which TWO methods can be used to protect privileged accounts in Microsoft Entra ID? (Choose two.)

103

You are the security engineer for Contoso, a multinational company with 50,000 users in Microsoft Entra ID Premium P2. The company has a strict security policy requiring that all administrative actions be performed using just-in-time (JIT) access with approval, and that all privileged role activations be audited. Additionally, you need to ensure that Global Administrators are required to use phishing-resistant MFA (e.g., FIDO2 security keys) when activating their role. You have already configured Privileged Identity Management (PIM) for Azure AD roles. However, during a recent audit, you discovered that several Global Administrators were able to activate their role using only a text message (SMS) for MFA, violating the policy. You need to enforce the use of phishing-resistant MFA for all privileged role activations. What should you do?

104

Your organization, Fabrikam, uses Microsoft Entra ID and has recently deployed Microsoft Copilot for Azure to assist administrators with troubleshooting. You need to ensure that access to Copilot for Azure is restricted to a specific group of security administrators and that all interactions are logged for compliance. You have created a security group named 'Copilot-Admins' and assigned it the appropriate role. However, you notice that users outside this group can still access Copilot for Azure. Additionally, you need to ensure that all Copilot interactions are stored in a Log Analytics workspace for analysis. What should you do?

105

You are the security administrator for a company that uses Microsoft Entra ID. You need to configure a Conditional Access policy that applies to all users except the emergency break-glass accounts. The policy must require multi-factor authentication (MFA) when accessing the Azure portal from a location that is not trusted. What should you include in the policy?

106

A company is implementing Privileged Identity Management (PIM) in Microsoft Entra ID for Azure resources. The security team wants to ensure that all privileged role activations require approval and are logged. They also want to require Azure MFA during activation. However, they notice that some users are able to activate roles without approval. What is the most likely cause?

107

Your organization uses Microsoft Entra ID and has deployed Microsoft Defender for Cloud Apps. You need to monitor and control access to cloud applications based on user behavior and device health. Which feature should you use?

108

You are managing a Microsoft Entra ID tenant with external collaboration enabled. You need to restrict external user access to only the groups and applications they are explicitly granted. You also want to prevent external users from seeing other external users in the tenant directory. Which settings should you configure?

109

Your company uses Microsoft Intune for mobile device management. You need to ensure that only devices that are compliant with company policies can access corporate resources. You have configured compliance policies in Intune. What additional step is required to enforce access control based on device compliance?

110

You are a security administrator for a financial institution. You need to implement a solution that allows users to authenticate using biometrics and prevents password-based attacks. Which Microsoft Entra ID feature should you enable?

111

Which THREE of the following are valid methods to secure service principals in Microsoft Entra ID?

112

Which TWO of the following are required to implement a successful Just-In-Time (JIT) access strategy using Microsoft Entra Privileged Identity Management (PIM) for Azure resources?

113

Which THREE of the following are recommended practices for securing administrative accounts in Microsoft Entra ID?

114

Refer to the exhibit. You are reviewing the external collaboration settings for your Microsoft Entra ID tenant. Based on the exhibit, which of the following statements is true about the current configuration?

115

You are the security architect for a large enterprise that uses Microsoft Entra ID with 50,000 users. The company recently adopted a cloud-first strategy and is migrating on-premises applications to Azure. You need to design a secure identity and access solution that meets the following requirements: - All access to cloud applications must be authenticated using modern authentication protocols. - Legacy authentication protocols (such as POP3, IMAP4, SMTP, and basic authentication) must be blocked. - Users must be required to use multi-factor authentication (MFA) when accessing any application from outside the corporate network. - Administrative access to Azure resources must be time-bound and require approval. - The solution must minimize user friction for internal users on the corporate network. - All sign-in risks must be detected and automatically remediated. You have deployed Microsoft Entra ID P2 licensing and configured Microsoft Defender for Cloud Apps. Which of the following is the most appropriate combination of actions to meet all requirements?

116

You are a security administrator for a healthcare organization that uses Microsoft Entra ID and Microsoft 365. The organization must comply with HIPAA regulations, which require that access to protected health information (PHI) is logged and monitored. You need to configure access reviews for all users who have access to SharePoint Online sites containing PHI. The reviews must occur quarterly and be assigned to the respective site owners. Additionally, you need to ensure that inactive guest accounts are automatically removed after 90 days of inactivity. Which actions should you take?

117

You are the identity security engineer for a multinational company that uses Microsoft Entra ID. The company has recently experienced a security breach where an attacker compromised a non-administrator user account and then used that account to enumerate all users in the tenant. The attacker then attempted to brute-force passwords for high-privilege accounts. To prevent such attacks, management requires the following: - Users with administrative roles must use phishing-resistant MFA. - Any sign-in from a risky IP address must be blocked. - Users must not be able to enumerate directory information via the Graph API unless they have a specific role. - The solution should be implemented using built-in Microsoft Entra ID features. What should you configure?

118

You work for a software development company that uses GitHub Enterprise and Microsoft Entra ID for identity management. Developers need to access Azure resources from their CI/CD pipelines. You need to configure secure authentication for these service principals used in pipelines. The requirements are: - No client secrets should be used because they can be leaked. - The authentication method must be automatically rotated. - The service principal must have access only to a specific resource group. - You need to monitor and alert if the service principal is used outside of the expected geographic region. Which of the following is the most appropriate solution?

119

You are the security administrator for a company that is integrating a third-party SaaS application (AppA) with Microsoft Entra ID for single sign-on (SSO). The application requires the following permissions: read all users, read all groups, and sign in users. The security team is concerned about over-privileged applications. They require that: - The application must not be able to read users or groups without an admin's explicit consent. - Users should be able to sign in to the application without admin consent for basic profile access. - Admin consent must be granted only for the minimal permissions required. - You must be able to review and audit all permissions granted to applications. What should you do?

120

An organization requires that all Azure SQL Database connections from non-corporate networks must be blocked unless initiated through Azure Bastion. Which Microsoft Entra ID Conditional Access policy setting should be configured?

121

A company plans to implement a Zero Trust identity strategy using Microsoft Entra ID. Which TWO actions should be taken to enforce least-privilege access for administrative roles?

122

A company uses Microsoft Entra ID and has an application registered that exposes scopes. An external partner organization needs to authenticate and access a specific scope. The partner's tenant is not federated. What is the most secure way to provide access without creating user accounts?

123

Refer to the exhibit. A custom role definition is created with the JSON above. A user assigned this role in the Prod resource group attempts to restart a VM but receives an authorization error. What is the most likely cause?

124

A company uses Microsoft Entra ID and has a custom application that authenticates via OAuth 2.0 device authorization grant. The app recently started receiving 'access_denied' errors for some users. The errors occur only for users who have Conditional Access policies applied. What change should be made to fix the issue while maintaining security?

125

You need to ensure that only approved iOS devices can access corporate email. Which Microsoft Intune policy should you configure?

126

Your organization uses Microsoft Entra ID for identity management. You need to implement a solution that automatically detects and remediates identity risks such as leaked credentials and impossible travel. The solution must use built-in Microsoft Entra capabilities without additional licensing beyond Microsoft Entra ID P2. What should you configure?

127

Your company uses Microsoft Entra ID with hybrid identity. You have a custom line-of-business application that uses SAML 2.0 for authentication. The application is registered in Microsoft Entra ID as an enterprise application. Users report that they are prompted for credentials twice when accessing the app from a domain-joined Windows 10 device. You need to prevent the second prompt. What should you do?

128

Your company uses Microsoft Entra ID (P2 licensed) and requires that all user logins from untrusted networks be blocked unless the user's device is marked as compliant by Microsoft Intune. You need to implement this requirement. Which TWO components should you use together to achieve this? (Choose two.)

129

Refer to the exhibit. You are reviewing a Conditional Access policy JSON definition. What is the MOST likely result of this policy?

130

You are a security architect for Contoso, a global financial services company with 10,000 employees. Contoso uses Microsoft Entra ID (P2 licensed), Microsoft Intune, and Microsoft Defender for Cloud Apps. All corporate devices are enrolled in Intune and marked as compliant. The company is adopting Microsoft Copilot for Microsoft 365 to boost productivity. The security team requires that access to Copilot for Microsoft 365 be restricted to users who have completed the required training (confirmed by HR system). Additionally, any access to Copilot from unmanaged devices must be blocked. You need to design an access control solution that meets these requirements with minimal administrative overhead and without custom code. Which action should you take?

Practice all 130 Secure identity and access questions

Other AZ-500 exam domains

Secure compute, storage, and databasesSecure Azure using Microsoft Defender for Cloud and Microsoft SentinelManage identity and accessSecure networking

Frequently asked questions

What does the Secure identity and access domain cover on the AZ-500 exam?

The Secure identity and access domain covers the key concepts tested in this area of the AZ-500 exam blueprint published by Microsoft. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all AZ-500 domains — no account required.

How many Secure identity and access questions are in the AZ-500 question bank?

The Courseiva AZ-500 question bank contains 130 questions in the Secure identity and access domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Secure identity and access for AZ-500?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Secure identity and access questions for AZ-500?

Yes — the session launcher on this page draws questions exclusively from the Secure identity and access domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your AZ-500 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

AZ-104SC-200SC-900SY0-701