AZ-500 Secure identity and access • Complete Question Bank
Complete AZ-500 Secure identity and access question bank — all 0 questions with answers and detailed explanations.
Refer to the exhibit.
{
"tenantId": "contoso.onmicrosoft.com",
"authenticationStrength": {
"allowedAuthMethods": ["password", "mfa"],
"requireMfa": true
},
"conditions": {
"applications": {
"includeApplications": ["Office365"]
},
"users": {
"includeUsers": ["all"]
}
},
"grantControls": {
"builtInControls": ["mfa"],
"termsOfUse": [],
"customAuthenticationFactors": []
}
}Refer to the exhibit.
Get-AzureADGroup -Top 5 | ConvertTo-Json
[
{
"ObjectId": "11111111-1111-1111-1111-111111111111",
"DisplayName": "All Users",
"SecurityEnabled": true,
"MailEnabled": false,
"GroupTypes": []
},
{
"ObjectId": "22222222-2222-2222-2222-222222222222",
"DisplayName": "Administrators",
"SecurityEnabled": true,
"MailEnabled": false,
"GroupTypes": ["DynamicMembership"]
},
{
"ObjectId": "33333333-3333-3333-3333-333333333333",
"DisplayName": "External Users",
"SecurityEnabled": true,
"MailEnabled": false,
"GroupTypes": []
},
{
"ObjectId": "44444444-4444-4444-4444-444444444444",
"DisplayName": "Finance Team",
"SecurityEnabled": true,
"MailEnabled": false,
"GroupTypes": []
},
{
"ObjectId": "55555555-5555-5555-5555-555555555555",
"DisplayName": "Sales Team",
"SecurityEnabled": true,
"MailEnabled": false,
"GroupTypes": ["DynamicMembership"]
}
]Refer to the exhibit.
{
"properties": {
"displayName": "Finance App Access Package",
"description": "Access to Finance applications for employees",
"resources": [
{
"originId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"type": "Application"
}
],
"assignmentPolicies": [
{
"accessPackageId": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy",
"accessReviewSettings": null,
"durationInDays": 30,
"expirationRequired": true,
"isAccessReviewEnabled": false,
"isApprovalRequiredForAdd": false,
"isApprovalRequiredForRemove": false,
"requestorSettings": {
"scopeType": "AllExistingDirectorySubjects"
}
}
]
}
}{
"policy": {
"tenantId": "contoso.onmicrosoft.com",
"displayName": "Block legacy authentication",
"conditions": {
"clientAppTypes": ["exchangeActiveSync", "other"],
"applications": {
"includeApplications": ["All"]
},
"users": {
"includeUsers": ["All"]
},
"locations": {
"includeLocations": ["All"]
}
},
"grantControls": {
"builtInControls": ["block"]
}
}
}{
"properties": {
"assignmentType": "Eligible",
"duration": "P1D",
"justificationRequired": true,
"approvalRequired": true,
"approvers": [
{
"id": "12345",
"displayName": "Security Team"
}
]
}
}Get-AzureADPolicy | Format-List Id, DisplayName, Definition
Id : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
DisplayName : TokenLifetimePolicy
Definition : {"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"01:00:00","MaxAgeSingleFactor":"06:00:00","MaxAgeMultiFactor":"12:00:00"}}Your company has a Microsoft Entra ID tenant with 10,000 users. You need to implement a secure authentication strategy that satisfies the following requirements: - Users must not be able to bypass security verification using alternate authentication methods. - Passwordless authentication should be used where possible. - Legacy authentication protocols must be blocked.
Which THREE actions should you take? (Choose three.)
Refer to the exhibit.
```json
{
"roleName": "Custom Role - Read Only",
"roleType": "CustomRole",
"assignableScopes": ["/subscriptions/12345678-1234-1234-1234-123456789012"],
"permissions": [
{
"actions": ["Microsoft.Storage/storageAccounts/read"],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
```Refer to the exhibit.
```json
{
"signInActivity": {
"lastSignInDateTime": "2025-12-01T10:00:00Z",
"lastNonInteractiveSignInDateTime": "2025-12-05T08:30:00Z"
},
"userPrincipalName": "user1@contoso.com",
"userType": "Member",
"isLicensed": true,
"accountEnabled": true
}
```Refer to the exhibit.
```json
{
"properties": {
"displayName": "Policy for external users",
"conditions": {
"users": {
"includeUsers": ["All"],
"excludeUsers": [],
"includeGuestsOrExternalUsers": {
"guestOrExternalUserTypes": "ServiceProvider"
}
},
"applications": {
"includeApplications": ["Office365"]
}
},
"grantControls": {
"builtInControls": ["mfa", "compliantDevice"],
"operator": "OR"
}
}
}
```Refer to the exhibit.
{
"ConditionalAccessPolicy": {
"displayName": "Block Legacy Auth",
"state": "enabled",
"conditions": {
"clientAppTypes": ["exchangeActiveSync", "other"],
"applications": {
"includeApplications": ["Office365"]
},
"users": {
"includeUsers": ["All"]
}
},
"grantControls": {
"builtInControls": ["block"]
}
}
}Refer to the exhibit.
{
"roleEligibilitySchedules": [
{
"principalId": "user1@contoso.com",
"roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10",
"scheduleInfo": {
"startDateTime": "2024-01-01T00:00:00Z",
"expiration": {
"type": "afterDuration",
"duration": "PT8H"
}
}
}
]
}Refer to the exhibit. Get-AzureADUser -ObjectId user@contoso.com | Select-Object UserPrincipalName, UserType UserPrincipalName UserType ----------------- -------- user@contoso.com Member
Refer to the exhibit.
{
"policy": {
"displayName": "Block legacy authentication",
"state": "enabledForReportingButNotEnforced",
"conditions": {
"clientAppTypes": ["exchangeActiveSync", "otherClients"],
"applications": {
"includeApplications": ["Office365"]
}
},
"grantControls": {
"builtInControls": ["block"]
}
}
}Refer to the exhibit.
$users = Get-AzureADUser -All $true | Where-Object {$_.UserPrincipalName -like "*@contoso.com"}
$users | ForEach-Object {
$role = Get-AzureADDirectoryRole | Where-Object {$_.DisplayName -eq "Global Administrator"}
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $_.ObjectId
}Refer to the exhibit.
$policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"02:00:00","MaxAgeSessionSingleFactor":"01:00:00"}}') -DisplayName "TwoHourToken" -IsOrganizationDefault $false
Add-AzureADApplicationPolicy -Id $appId -RefObjectId $policy.Id{
"roleName": "Custom App Security Reader",
"description": "Read-only access to app registrations and service principals",
"assignableScopes": ["/"],
"permissions": [
{
"actions": [
"microsoft.directory/applications/standard/read",
"microsoft.directory/servicePrincipals/standard/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}{
"signInLog": {
"userPrincipalName": "jdoe@contoso.com",
"appDisplayName": "Azure Portal",
"ipAddress": "203.0.113.1",
"riskLevelDuringSignIn": "medium",
"riskEventTypes": ["leakedCredentials"],
"authenticationRequirement": "multiFactorAuthentication",
"mfaResult": "failed",
"conditionalAccessStatus": "notApplied"
}
}{
"roleDefinition": {
"id": "62e90394-69f5-4237-9190-012177145e10",
"displayName": "Application Developer",
"description": "Can create and manage app registrations",
"allowedResourceActions": [
"microsoft.directory/applications/create",
"microsoft.directory/applications/update",
"microsoft.directory/applications/delete"
]
}
}{
"policy": {
"tenantId": "contoso.onmicrosoft.com",
"displayName": "External Collaboration Policy",
"description": "Controls external user invitations and access",
"settings": {
"allowEmailVerifiedUsersToJoinOrganization": false,
"allowInvitationsFrom": "adminsAndGuestInviters",
"enableB2BEmailOneTimePasscode": true,
"enableB2BDirectConnect": false
}
}
}You are the security architect for a large enterprise that uses Microsoft Entra ID with 50,000 users. The company recently adopted a cloud-first strategy and is migrating on-premises applications to Azure. You need to design a secure identity and access solution that meets the following requirements:
- All access to cloud applications must be authenticated using modern authentication protocols. - Legacy authentication protocols (such as POP3, IMAP4, SMTP, and basic authentication) must be blocked. - Users must be required to use multi-factor authentication (MFA) when accessing any application from outside the corporate network. - Administrative access to Azure resources must be time-bound and require approval. - The solution must minimize user friction for internal users on the corporate network. - All sign-in risks must be detected and automatically remediated.
You have deployed Microsoft Entra ID P2 licensing and configured Microsoft Defender for Cloud Apps. Which of the following is the most appropriate combination of actions to meet all requirements?
You are the identity security engineer for a multinational company that uses Microsoft Entra ID. The company has recently experienced a security breach where an attacker compromised a non-administrator user account and then used that account to enumerate all users in the tenant. The attacker then attempted to brute-force passwords for high-privilege accounts. To prevent such attacks, management requires the following:
- Users with administrative roles must use phishing-resistant MFA. - Any sign-in from a risky IP address must be blocked. - Users must not be able to enumerate directory information via the Graph API unless they have a specific role. - The solution should be implemented using built-in Microsoft Entra ID features.
What should you configure?
You work for a software development company that uses GitHub Enterprise and Microsoft Entra ID for identity management. Developers need to access Azure resources from their CI/CD pipelines. You need to configure secure authentication for these service principals used in pipelines. The requirements are:
- No client secrets should be used because they can be leaked. - The authentication method must be automatically rotated. - The service principal must have access only to a specific resource group. - You need to monitor and alert if the service principal is used outside of the expected geographic region.
Which of the following is the most appropriate solution?
You are the security administrator for a company that is integrating a third-party SaaS application (AppA) with Microsoft Entra ID for single sign-on (SSO). The application requires the following permissions: read all users, read all groups, and sign in users. The security team is concerned about over-privileged applications. They require that:
- The application must not be able to read users or groups without an admin's explicit consent. - Users should be able to sign in to the application without admin consent for basic profile access. - Admin consent must be granted only for the minimal permissions required. - You must be able to review and audit all permissions granted to applications.
What should you do?
{
"roleName": "Custom VM Operator",
"assignableScopes": ["/subscriptions/12345-abcde-.../resourceGroups/Prod"],
"permissions": [{
"actions": [
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action"
],
"notActions": []
}]
}Refer to the exhibit.
{
"name": "Block external identities from accessing corporate apps",
"conditions": {
"applications": { "includeApplications": ["Office365"] },
"users": { "includeUsers": ["All"], "excludeUsers": ["admin@contoso.com"] },
"clientAppTypes": ["browser", "mobileAppsAndDesktopClients"],
"signInRiskLevels": [],
"locations": { "includeLocations": ["AllTrusted"] }
},
"grantControls": {
"builtInControls": ["block"]
}
}