Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›AZ-500›Objectives›Manage identity and access
Objective 1.0

Manage identity and access

AZ-500 Practice Questions

Use this page to practise Manage identity and access questions for this certification. Focus on how the exam tests manage identity and access in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Full Practice Test →All Objectives

What this objective tests

AZ-500 Manage identity and access — Key Topics

Manage identity and access questions on this certification test your ability to deploy and manage manage identity and access concepts in scenario-based situations.

  • Core Manage identity and access concepts and how they apply in real-world cloud scenarios.
  • How to deploy manage identity and access correctly and verify the outcome.
  • Troubleshooting manage identity and access issues by interpreting error output and system state.
  • Cloud best practices and Manage identity and access design trade-offs tested by this certification.

Common exam traps

Where candidates lose marks on Manage identity and access

  • ⚠Selecting the most expensive service when a simpler managed option meets the requirement.
  • ⚠Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • ⚠Choosing a global service fix when the issue is region-specific.
  • ⚠Overlooking cost implications of cross-region data transfer in architecture questions.

AZ-500 Manage identity and access — Practice Questions

30 questions from this objective

Question 2hardmultiple choice
Full question →

A company uses Azure AD Identity Protection. They want to automatically block sign-ins that have a high user risk level, but only for users in the 'Finance' department. They also want to require MFA for medium user risk level for all users (including Finance) when sign-in risk is not blocked. They have already created a Conditional Access policy for the Finance department that has a condition of 'User risk level: High' and a grant control of 'Block access'. What additional configuration is needed to also require MFA for all users with medium user risk?

Question 3hardmulti select
Study the full multicast explanation →

A company uses Azure AD Privileged Identity Management (PIM) to manage access to Azure AD roles. They want to require that users who activate the Global Administrator role must get approval from their manager before activation, and that the approval must be time-bound (maximum 8 hours). Which two PIM configurations should they set?

Question 4hardmultiple choice
Study the full multicast explanation →

A company uses Azure AD Privileged Identity Management (PIM) to manage the Global Administrator role. They want to require that when a user activates the role, they must be using a device that is compliant with Intune policies (e.g., compliant device) and must provide a justification. The company already has Conditional Access policies in place for regular access. How should they enforce the device compliance requirement specifically during PIM activation?

Question 5hardmultiple choice
Study the full multicast explanation →

A company uses Azure AD Privileged Identity Management (PIM) for the Global Administrator role. They have configured the role activation to require approval from a specific security group. When a user attempts to activate the role, they are immediately approved without any approval request being sent. The user is a member of the same security group that is configured as the approver. What is the most likely cause?

Question 6hardmultiple choice
Full question →

A company has a partner organization in another Azure AD tenant. They want to allow users from the partner tenant to access their Azure resources through Azure AD B2B collaboration. They also want the partner's Multi-Factor Authentication (MFA) claims to be trusted when partner users access their resources, so that they do not need to perform MFA again. Which configuration in cross-tenant access settings should they enable?

Question 7mediummultiple choice
Read the full VPN explanation →

A company has an on-premises web application that they want to expose to external users over the internet without requiring a VPN. External users must authenticate with Modern Authentication (e.g., using Azure Multi-Factor Authentication) and access policies must be enforced via Conditional Access. The application does not support SAML or OAuth. Which Azure service should they use to publish this application securely?

Question 8mediummultiple choice
Read the full NAT/PAT explanation →

A company uses Azure AD Identity Protection and Conditional Access. A user is detected with a 'High' user risk level due to suspicious activity. The security team wants to automatically block sign-ins for this user, but only when the sign-in originates from a location that is not in the company's list of trusted IPs. They have created a Conditional Access policy targeting all users. Which configuration should they add to the policy to achieve this?

Question 9hardmultiple choice
Study the full multicast explanation →

A company uses Azure AD Privileged Identity Management (PIM) for the Security Administrator role. The security policy requires that when a user activates the Security Administrator role, they must: 1) Provide a justification, 2) Get approval from a designated security group, and 3) The activation must last a maximum of 4 hours. Which combination of PIM settings should they configure?

Question 10hardmultiple choice
Study the full multicast explanation →

A company uses Azure AD Privileged Identity Management (PIM) to manage access to critical roles. They want to require that users who are eligible for the 'Security Administrator' role must provide a support ticket number in the justification when activating the role. Additionally, they want to set a maximum activation duration of 4 hours. Which PIM role setting should they configure?

Question 11hardmultiple choice
Full question →

A company has Azure AD Conditional Access policies that require multi-factor authentication (MFA) for all users accessing sensitive cloud apps. The security team wants to extend this protection by monitoring and controlling user activities within those applications (e.g., preventing data exfiltration during a session). Which Conditional Access session control should they implement?

Question 12mediummultiple choice
Study the full multicast explanation →

A company uses Azure AD Privileged Identity Management (PIM) to manage the 'Global Administrator' role. The security team wants to ensure that when a user activates the role, they must provide a justification, and the activation request must be approved by a specific group of security administrators. They have already configured the role for activation with a maximum duration of 8 hours. Which additional PIM settings should they configure?

Question 13hardmultiple choice
Study the full multicast explanation →

A company uses Azure AD Privileged Identity Management (PIM) for the Security Administrator role. They have configured the role activation to require Azure Multi-Factor Authentication and a support ticket number. However, users are reporting that they can activate the role without entering a ticket number. What is the most likely cause?

Question 14hardmultiple choice
Study the full multicast explanation →

A company uses Azure AD Privileged Identity Management (PIM) for the Security Administrator role. They want the activation of this role to require approval from a specific group of senior security engineers before the role becomes active. They also want the approvers to receive an email notification when an activation request is submitted. Which PIM configuration must be set?

Question 15mediummultiple choice
Full question →

A company uses Azure Active Directory (Azure AD) and has a conditional access policy that requires multi-factor authentication (MFA) for all external users accessing SharePoint Online. However, the security team wants to enforce that external users must re-authenticate every 30 minutes when accessing SharePoint. Which control should they configure in a new conditional access policy targeting SharePoint Online?

Question 16mediummulti select
Study the full multicast explanation →

A company manages Azure AD roles with Privileged Identity Management (PIM). They want to enforce that when a user activates the Global Administrator role, they must provide a justification and also use Multi-Factor Authentication. Which PIM settings should they configure? (Choose two.)

Question 17mediummultiple choice
Full question →

A company uses Azure AD B2B collaboration to invite external partner users to collaborate on a project. The security team wants to ensure that when a partner user's account is disabled in their home Azure AD tenant, the user should immediately lose access to the company's resources, even if the user had a valid session token. Which configuration should they implement in cross-tenant access settings?

Question 18mediummultiple choice
Study the full multicast explanation →

A company uses Azure AD Privileged Identity Management (PIM) to manage the 'Security Administrator' role. They want to ensure that when a user activates the role, they must provide a ticket number as justification, and the activation must be approved by a designated approver group. The role activation duration should be limited to 4 hours. Which PIM settings should be configured?

Question 19mediummultiple choice
Full question →

A company uses Azure AD Identity Protection. They have detected a user with a 'High' user risk level due to suspicious activity. The security team wants to automatically block sign-ins for this user only when the sign-in comes from a location that is not in the company's list of trusted IPs. They have created a Conditional Access policy. Which configuration should they use?

Question 20mediummultiple choice
Full question →

A company uses Azure AD B2B collaboration to invite external partner users. The security policy requires that guest users who have not signed in for more than 90 days should have their access automatically reviewed and, if not approved, removed. The company has Azure AD Premium P2 licenses. Which Azure AD feature should they configure to meet this requirement?

Question 21mediummultiple choice
Study the full multicast explanation →

A company uses Azure AD Privileged Identity Management (PIM) for the Global Administrator role. They want to ensure that when a user activates the role, the activation request must be approved by a member of the 'Global Admin Approvers' group, and the activation should be time-bound with a maximum of 4 hours. Which PIM settings should they configure?

Question 22mediummultiple choice
Full question →

A company has Azure AD Identity Protection enabled. The security team wants to automatically block sign-ins that are detected as coming from a known malicious IP address. They have created a Conditional Access policy and assigned it to all users. Which configuration should they add to the policy to trigger the block based on Identity Protection risk?

Question 23mediummultiple choice
Study the full multicast explanation →

A company uses Azure AD Privileged Identity Management (PIM) to manage access to the 'Security Administrator' role. They want a specific user to be able to activate the role only when needed, rather than having standing access. The user should not have the role active at all times. Which type of assignment should they configure for this user in PIM?

Question 24mediummultiple choice
Study the full multicast explanation →

A company uses Azure AD Privileged Identity Management (PIM) to manage the 'Security Administrator' role. They want to require that when a user activates this role, they must provide a support ticket number and a brief justification. Additionally, the activation should have a maximum duration of 4 hours. Which PIM role setting should they configure?

Question 25mediummultiple choice
Study the full multicast explanation →

A company uses Azure AD Privileged Identity Management (PIM) to manage access to Azure resources. They want to enforce that when a user activates the Contributor role for a specific resource group, they must provide a ticket number as justification and the activation is limited to 4 hours. Which PIM settings should they configure?

Question 26easymultiple choice
Full question →

A company uses Azure AD with Premium P2 licenses. They want to require that all new users register for Azure Multi-Factor Authentication (MFA) within 14 days of their first sign-in. If they do not register, they should be denied access to all cloud applications until registration is completed. Which Azure AD feature should they configure?

Question 27mediummultiple choice
Study the full multicast explanation →

A company uses Azure AD Privileged Identity Management (PIM) for Azure AD roles. They want to require that when a user activates the Security Administrator role, they must provide a justification and the activation must be approved by a member of a specific security group. Which PIM setting should they configure?

Question 28mediummultiple choice
Study the full multicast explanation →

A company uses Azure AD Privileged Identity Management (PIM) to manage the 'Security Administrator' role. They want users who activate this role to provide a justification and a support ticket number, and they want the activation to expire after a maximum of 4 hours. Which PIM role settings should they configure?

Question 29mediummultiple choice
Full question →

A company uses Azure AD Identity Protection. They want to automatically block sign-ins that are detected as having a high sign-in risk. They have created a Conditional Access policy and assigned it to all users. Which configuration should they add to the policy to trigger the block based on the sign-in risk?

Question 30mediummultiple choice
Full question →

A company uses Azure AD B2B collaboration to invite external vendors. They want to restrict the vendors to only be able to access a specific application, and prevent them from discovering other users or applications in the directory. Which configuration should they apply to the external users?

Question 31mediummultiple choice
Full question →

A company wants to ensure that users can only access Microsoft 365 services (e.g., Exchange Online, SharePoint Online) from devices that are confirmed to be compliant with corporate security policies (e.g., encryption enabled, antivirus active). Which Azure AD policy type should they create?

More Manage identity and access questions available in the full practice test.

Continue Practising →

Next objective

Secure networking

→

All AZ-500 Objectives

  • 1.Manage identity and access
  • 2.Secure networking