Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Secure identity and access practice sets

AZ-500 Secure identity and access • Complete Question Bank

AZ-500 Secure identity and access — All Questions With Answers

Complete AZ-500 Secure identity and access question bank — all 0 questions with answers and detailed explanations.

130
Questions
Free
No signup
Certifications/AZ-500/Practice Test/Secure identity and access/All Questions
Question 1easymultiple choice
Read the full Secure identity and access explanation →

Your organization uses Microsoft Entra ID for identity management. You need to ensure that users can sign in using a one-time passcode sent to their mobile device, without requiring any additional app or software installation. Which authentication method should you enable?

Question 2mediummultiple choice
Read the full Secure identity and access explanation →

Your company has a Microsoft Entra ID tenant and uses Azure AD Application Proxy to publish on-premises web apps. Users report that they are prompted for their password every time they access the app, even though they selected 'Keep me signed in'. You need to improve the sign-in experience without compromising security. What should you configure?

Question 3hardmultiple choice
Read the full Secure identity and access explanation →

Your organization is implementing a zero-trust security model using Microsoft Entra ID. You need to ensure that all access requests to sensitive applications are evaluated in real-time based on user behavior and device posture before granting access. Which Microsoft Entra ID feature should you use?

Question 4easymultiple choice
Read the full Secure identity and access explanation →

You are configuring a conditional access policy to block access from untrusted locations. The policy should apply to all cloud apps except Microsoft Entra ID Administration. How should you configure the policy?

Question 5mediummultiple choice
Read the full Secure identity and access explanation →

Your company uses Microsoft Entra ID Governance features for access reviews. You need to ensure that guest users who do not sign in for 90 days are automatically removed from access to a critical application. The removal should happen without manual intervention. What should you configure?

Question 6hardmultiple choice
Read the full Secure identity and access explanation →

Your organization uses Microsoft Entra ID to manage access for employees and partners. You need to implement a solution that allows partners to self-service request access to specific applications, with approval from their manager, and access expires after 30 days. Which feature should you use?

Question 7easymultiple choice
Read the full Secure identity and access explanation →

You are troubleshooting why a user cannot sign in to a custom line-of-business application that is federated with Microsoft Entra ID. The user reports that they are repeatedly prompted for credentials and then receive an error. The application is configured for SAML-based SSO. What is the most likely cause?

Question 8mediummultiple choice
Read the full Secure identity and access explanation →

Your company has a Microsoft Entra ID tenant with 10,000 users. You need to implement a secure authentication method that reduces password-related risks. The solution must support users signing in from unmanaged devices without installing any software. Which authentication method should you prioritize?

Question 9hardmultiple choice
Read the full Secure identity and access explanation →

Your organization uses Microsoft Entra ID and has a hybrid identity setup with password hash synchronization. You need to implement a solution that detects password changes on-premises and forces re-authentication for active sessions within minutes. Which feature should you enable?

Question 10mediummulti select
Read the full Secure identity and access explanation →

Which TWO of the following are valid configurations for Microsoft Entra ID Conditional Access policies?

Question 11hardmulti select
Read the full Secure identity and access explanation →

Which THREE of the following are capabilities of Microsoft Entra ID Protection?

Question 12easymulti select
Read the full Secure identity and access explanation →

Which TWO of the following are authentication methods supported by Microsoft Entra ID?

Question 13mediummultiple choice
Read the full Secure identity and access explanation →

Refer to the exhibit. You are analyzing a Conditional Access policy JSON. The policy requires MFA for Office 365 applications. However, users report that they are still able to access Office 365 without MFA. What is the most likely reason?

Exhibit

Refer to the exhibit.

{
  "tenantId": "contoso.onmicrosoft.com",
  "authenticationStrength": {
    "allowedAuthMethods": ["password", "mfa"],
    "requireMfa": true
  },
  "conditions": {
    "applications": {
      "includeApplications": ["Office365"]
    },
    "users": {
      "includeUsers": ["all"]
    }
  },
  "grantControls": {
    "builtInControls": ["mfa"],
    "termsOfUse": [],
    "customAuthenticationFactors": []
  }
}
Question 14hardmultiple choice
Read the full Secure identity and access explanation →

Refer to the exhibit. You are reviewing the output of the Get-AzureADGroup PowerShell cmdlet. You need to create a Conditional Access policy that dynamically includes users based on their department attribute set to 'Finance'. Which group should you use in the policy?

Exhibit

Refer to the exhibit.

Get-AzureADGroup -Top 5 | ConvertTo-Json
[
  {
    "ObjectId": "11111111-1111-1111-1111-111111111111",
    "DisplayName": "All Users",
    "SecurityEnabled": true,
    "MailEnabled": false,
    "GroupTypes": []
  },
  {
    "ObjectId": "22222222-2222-2222-2222-222222222222",
    "DisplayName": "Administrators",
    "SecurityEnabled": true,
    "MailEnabled": false,
    "GroupTypes": ["DynamicMembership"]
  },
  {
    "ObjectId": "33333333-3333-3333-3333-333333333333",
    "DisplayName": "External Users",
    "SecurityEnabled": true,
    "MailEnabled": false,
    "GroupTypes": []
  },
  {
    "ObjectId": "44444444-4444-4444-4444-444444444444",
    "DisplayName": "Finance Team",
    "SecurityEnabled": true,
    "MailEnabled": false,
    "GroupTypes": []
  },
  {
    "ObjectId": "55555555-5555-5555-5555-555555555555",
    "DisplayName": "Sales Team",
    "SecurityEnabled": true,
    "MailEnabled": false,
    "GroupTypes": ["DynamicMembership"]
  }
]
Question 15mediummultiple choice
Read the full Secure identity and access explanation →

Refer to the exhibit. You are configuring an Entitlement Management access package. The policy allows any existing user to request access without approval, and access expires after 30 days. However, security requirements dictate that all access to Finance applications must be reviewed by the finance team manager every quarter. What should you add to the policy?

Exhibit

Refer to the exhibit.

{
  "properties": {
    "displayName": "Finance App Access Package",
    "description": "Access to Finance applications for employees",
    "resources": [
      {
        "originId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
        "type": "Application"
      }
    ],
    "assignmentPolicies": [
      {
        "accessPackageId": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy",
        "accessReviewSettings": null,
        "durationInDays": 30,
        "expirationRequired": true,
        "isAccessReviewEnabled": false,
        "isApprovalRequiredForAdd": false,
        "isApprovalRequiredForRemove": false,
        "requestorSettings": {
          "scopeType": "AllExistingDirectorySubjects"
        }
      }
    ]
  }
}
Question 16easymultiple choice
Read the full Secure identity and access explanation →

Your organization uses Microsoft Entra ID for identity management. You need to prevent users from using their work accounts to access corporate resources from untrusted locations unless they have registered their devices. Which conditional access policy setting should you configure?

Question 17easymultiple choice
Read the full Secure identity and access explanation →

You are implementing Microsoft Entra ID Protection. You need to detect and respond to risky user behaviors such as leaked credentials and anonymous IP address usage. Which feature should you enable?

Question 18mediummultiple choice
Read the full Secure identity and access explanation →

Your company deploys Microsoft Sentinel for security operations. You need to configure just-in-time (JIT) access for Azure VMs. Which Azure security feature should you integrate with Sentinel?

Question 19mediummultiple choice
Read the full Secure identity and access explanation →

You are designing a secure access solution for an Azure App Service web application. The application uses Microsoft Entra ID for authentication. You need to ensure that only users from specific partner organizations can access the app. Which configuration should you use?

Question 20hardmultiple choice
Read the full Secure identity and access explanation →

Your organization uses Microsoft Intune for mobile device management. You need to implement a conditional access policy that only allows access to corporate email from devices that are enrolled in Intune and compliant with security policies. However, the policy is not working for some users who report that they cannot access email even though their devices are compliant. You discover that the users have multiple devices and are signing in from a device that is not enrolled. What should you do?

Question 21hardmultiple choice
Read the full NAT/PAT explanation →

Your company is implementing a zero-trust security model. You need to ensure that all access to cloud applications is continuously verified based on user identity, device health, and location. Which combination of Microsoft security solutions should you use?

Question 22easymultiple choice
Read the full Secure identity and access explanation →

You are configuring Microsoft Entra ID Connect to synchronize on-premises Active Directory identities to the cloud. You need to ensure that password hashes are synchronized to enable Microsoft Entra ID Password Protection and Identity Protection. Which option should you enable?

Question 23mediummultiple choice
Read the full Secure identity and access explanation →

Your organization uses Microsoft Entra ID and wants to provide external partners with access to a specific SharePoint Online site. You need to ensure that partners authenticate using their own corporate credentials (SAML/WS-Fed) and that access is automatically revoked when the partner's account is disabled. Which solution should you use?

Question 24hardmultiple choice
Read the full Secure identity and access explanation →

Refer to the exhibit. A Microsoft Entra ID Conditional Access policy is defined as shown. You observe that the policy is blocking all users from accessing email via Exchange ActiveSync, but users can still access email via Outlook for iOS. What is the most likely reason?

Exhibit

{
  "policy": {
    "tenantId": "contoso.onmicrosoft.com",
    "displayName": "Block legacy authentication",
    "conditions": {
      "clientAppTypes": ["exchangeActiveSync", "other"],
      "applications": {
        "includeApplications": ["All"]
      },
      "users": {
        "includeUsers": ["All"]
      },
      "locations": {
        "includeLocations": ["All"]
      }
    },
    "grantControls": {
      "builtInControls": ["block"]
    }
  }
}
Question 25mediummulti select
Read the full Secure identity and access explanation →

Which TWO actions should you perform to implement Microsoft Entra ID Password Protection for an on-premises Active Directory environment? (Choose two.)

Question 26mediummulti select
Read the full Secure identity and access explanation →

Which THREE conditions can be used in a Microsoft Entra ID Conditional Access policy to control access based on sign-in risk? (Choose three.)

Question 27hardmulti select
Study the full multicast explanation →

Which TWO features are available in Microsoft Entra ID Privileged Identity Management (PIM) for managing Azure AD roles? (Choose two.)

Question 28hardmulti select
Read the full Secure identity and access explanation →

Which THREE Microsoft Entra ID roles can be assigned to a user to manage Microsoft Defender XDR (formerly Microsoft 365 Defender) incidents? (Choose three.)

Question 29mediummultiple choice
Study the full multicast explanation →

Refer to the exhibit. You are configuring a PIM role setting for an Azure AD role. The exhibit shows the activation settings. A user activates the role and provides a justification. An approver from the Security Team does not see any pending requests. What is the most likely reason?

Exhibit

{
  "properties": {
    "assignmentType": "Eligible",
    "duration": "P1D",
    "justificationRequired": true,
    "approvalRequired": true,
    "approvers": [
      {
        "id": "12345",
        "displayName": "Security Team"
      }
    ]
  }
}
Question 30hardmultiple choice
Read the full Secure identity and access explanation →

Refer to the exhibit. You run the PowerShell cmdlet Get-AzureADPolicy for a tenant. Based on the output, what is the access token lifetime for this policy?

Exhibit

Get-AzureADPolicy | Format-List Id, DisplayName, Definition

Id           : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
DisplayName  : TokenLifetimePolicy
Definition   : {"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"01:00:00","MaxAgeSingleFactor":"06:00:00","MaxAgeMultiFactor":"12:00:00"}}
Question 31mediummultiple choice
Read the full NAT/PAT explanation →

You manage a Microsoft Entra ID tenant for a multinational company. Users in the European office report that they cannot access the company's custom line-of-business application during peak hours, while users in the US office have no issues. The application uses OAuth 2.0 authentication with Conditional Access policies applied. What is the most likely cause?

Question 32hardmultiple choice
Study the full multicast explanation →

Your organization uses Microsoft Entra ID with Privileged Identity Management (PIM) to manage roles. You need to ensure that when a user activates a role, the activation is automatically approved only if the user's manager approves within 30 minutes. If the manager does not respond, the activation is denied. What configuration should you implement?

Question 33easymultiple choice
Read the full Secure identity and access explanation →

You are a security engineer for a company that uses Microsoft Entra ID. You need to ensure that all users accessing the company's Salesforce application from unmanaged devices are prompted for multi-factor authentication (MFA) every time. What should you configure?

Question 34hardmultiple choice
Read the full Secure identity and access explanation →

Your organization has a Microsoft Entra ID tenant with 50,000 users. You are designing a solution to automatically revoke access for users who have not signed in for 90 days. The solution must be cost-effective and use built-in Microsoft Entra ID features. What should you do?

Question 35mediummultiple choice
Read the full Secure identity and access explanation →

Your company uses Microsoft Entra ID and Microsoft Intune for mobile device management. You need to ensure that only devices that are compliant with your security policies can access Exchange Online. The solution must require users to reauthenticate every 12 hours. What should you configure?

Question 36easymultiple choice
Read the full Secure identity and access explanation →

You need to assign the 'Security Administrator' role in Microsoft Entra ID to a user named User1. The role assignment must be eligible, and User1 must provide a justification when activating the role. What should you use?

Question 37hardmultiple choice
Read the full Secure identity and access explanation →

Your organization uses Microsoft Entra ID and has several applications registered. You need to ensure that only specific applications can call a particular web API. The web API is also registered in Microsoft Entra ID. What should you configure?

Question 38mediummultiple choice
Read the full Secure identity and access explanation →

Your company uses Microsoft Entra ID and Microsoft Sentinel. You need to detect when a user account is created outside of normal business hours (9 AM - 5 PM local time) and automatically suspend the account. What should you use?

Question 39easymultiple choice
Read the full Secure identity and access explanation →

You need to ensure that external users who are invited to collaborate via Microsoft Entra B2B can only access the applications assigned to them. Which configuration should you use?

Question 40mediummulti select
Read the full Secure identity and access explanation →

Your organization uses Microsoft Entra ID. You need to recommend solutions to reduce the risk of privileged role abuse. Which TWO actions should you recommend? (Choose two.)

Question 41hardmulti select
Read the full NAT/PAT explanation →

Your company has a Microsoft Entra ID tenant with 10,000 users. You need to implement a secure authentication strategy that satisfies the following requirements: - Users must not be able to bypass security verification using alternate authentication methods. - Passwordless authentication should be used where possible. - Legacy authentication protocols must be blocked.

Which THREE actions should you take? (Choose three.)

Question 42mediummulti select
Read the full Secure identity and access explanation →

Your organization uses Microsoft Entra ID and has a hybrid identity with Microsoft Entra Connect. You need to ensure that all user password changes and resets are synchronized to the cloud within 30 minutes. Which TWO actions should you take? (Choose two.)

Question 43mediummultiple choice
Read the full Secure identity and access explanation →

Refer to the exhibit. You are creating a custom Azure RBAC role for a security analyst. The role as shown allows read access to storage accounts. The analyst reports that they cannot read the contents of a blob container in a storage account. Why is this?

Exhibit

Refer to the exhibit.
```json
{
  "roleName": "Custom Role - Read Only",
  "roleType": "CustomRole",
  "assignableScopes": ["/subscriptions/12345678-1234-1234-1234-123456789012"],
  "permissions": [
    {
      "actions": ["Microsoft.Storage/storageAccounts/read"],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ]
}
```
Question 44hardmultiple choice
Read the full Secure identity and access explanation →

Refer to the exhibit. You are reviewing user sign-in activity using Microsoft Graph API. The user has not performed an interactive sign-in since December 1, but had a non-interactive sign-in on December 5. You need to determine if the user should be considered inactive for a policy that defines inactivity as no interactive sign-in for 30 days. Today is December 15. What should you do?

Exhibit

Refer to the exhibit.
```json
{
  "signInActivity": {
    "lastSignInDateTime": "2025-12-01T10:00:00Z",
    "lastNonInteractiveSignInDateTime": "2025-12-05T08:30:00Z"
  },
  "userPrincipalName": "user1@contoso.com",
  "userType": "Member",
  "isLicensed": true,
  "accountEnabled": true
}
```
Question 45mediummultiple choice
Read the full Secure identity and access explanation →

Refer to the exhibit. You are reviewing a Conditional Access policy in Microsoft Entra ID. What is the effect of this policy?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "Policy for external users",
    "conditions": {
      "users": {
        "includeUsers": ["All"],
        "excludeUsers": [],
        "includeGuestsOrExternalUsers": {
          "guestOrExternalUserTypes": "ServiceProvider"
        }
      },
      "applications": {
        "includeApplications": ["Office365"]
      }
    },
    "grantControls": {
      "builtInControls": ["mfa", "compliantDevice"],
      "operator": "OR"
    }
  }
}
```
Question 46mediummultiple choice
Read the full Secure identity and access explanation →

Your company uses Microsoft Entra ID with a hybrid identity model. You need to implement a solution that allows you to block legacy authentication attempts while still allowing modern authentication protocols. What should you use?

Question 47hardmultiple choice
Read the full NAT/PAT explanation →

You are designing a Microsoft Entra ID tenant for a multinational organization. The security team requires that all administrative users must use phishing-resistant MFA. Administrators are located in different regions and may use different devices. Which MFA method should you enforce?

Question 48easymultiple choice
Read the full Secure identity and access explanation →

Your organization uses Microsoft Entra ID. You need to ensure that users can reset their own passwords without contacting IT. Which feature should you enable?

Question 49mediummultiple choice
Read the full Secure identity and access explanation →

Your company uses Microsoft Entra ID and Microsoft Intune for mobile device management. You need to ensure that only devices that are compliant with your security policies can access corporate email. You configure a Conditional Access policy targeting Exchange Online. Which grant control should you use?

Question 50hardmultiple choice
Read the full Secure identity and access explanation →

You are troubleshooting an issue where users are unable to access a sensitive application protected by a Conditional Access policy. The policy requires MFA from trusted locations, but users are reporting that they are prompted for MFA even when connecting from the corporate office, which is defined as a trusted location. What is the most likely cause?

Question 51easymultiple choice
Read the full Secure identity and access explanation →

Your organization uses Microsoft Entra ID. The security team wants to ensure that users cannot reuse the last five passwords. Which feature should you configure?

Question 52mediummultiple choice
Read the full Secure identity and access explanation →

Your company uses Microsoft Entra ID and has Microsoft Defender for Cloud Apps. You need to monitor and control access to cloud apps based on user behavior. Which feature should you use?

Question 53hardmultiple choice
Study the full multicast explanation →

Your organization uses Microsoft Entra ID with Privileged Identity Management (PIM). You need to ensure that all privileged role activations are approved by a manager and require a ticket number. What should you configure in PIM?

Question 54easymultiple choice
Read the full Secure identity and access explanation →

Your company uses Microsoft Entra ID. You need to block sign-ins from countries where your company does not operate. Which approach should you use?

Question 55mediummulti select
Read the full Secure identity and access explanation →

Which TWO of the following are methods to enforce MFA in Microsoft Entra ID?

Question 56hardmulti select
Read the full Secure identity and access explanation →

Which THREE of the following can be used to provide just-in-time (JIT) privileged access to Azure resources?

Question 57easymulti select
Read the full Secure identity and access explanation →

Which TWO of the following are valid authentication methods in Microsoft Entra ID?

Question 58mediummultiple choice
Read the full Secure identity and access explanation →

Refer to the exhibit. A Conditional Access policy is configured to block legacy authentication for Office 365. However, users are still able to access Exchange Online using Outlook (modern authentication). What is the most likely reason?

Exhibit

Refer to the exhibit.

{
  "ConditionalAccessPolicy": {
    "displayName": "Block Legacy Auth",
    "state": "enabled",
    "conditions": {
      "clientAppTypes": ["exchangeActiveSync", "other"],
      "applications": {
        "includeApplications": ["Office365"]
      },
      "users": {
        "includeUsers": ["All"]
      }
    },
    "grantControls": {
      "builtInControls": ["block"]
    }
  }
}
Question 59hardmultiple choice
Study the full multicast explanation →

Refer to the exhibit. A user is eligible for a role in PIM. When they activate the role, how long will the activation last?

Exhibit

Refer to the exhibit.

{
  "roleEligibilitySchedules": [
    {
      "principalId": "user1@contoso.com",
      "roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10",
      "scheduleInfo": {
        "startDateTime": "2024-01-01T00:00:00Z",
        "expiration": {
          "type": "afterDuration",
          "duration": "PT8H"
        }
      }
    }
  ]
}
Question 60easymultiple choice
Read the full Secure identity and access explanation →

Refer to the exhibit. You run the command and see the output. What does the UserType 'Member' indicate?

Exhibit

Refer to the exhibit.

Get-AzureADUser -ObjectId user@contoso.com | Select-Object UserPrincipalName, UserType

UserPrincipalName   UserType
-----------------   --------
user@contoso.com    Member
Question 61easymultiple choice
Read the full Secure identity and access explanation →

Your organization is using Microsoft Entra ID Conditional Access to enforce MFA for all external users. A partner company reports that their users are prompted for MFA every time they access your resources, even though they already authenticated in their home tenant. What should you configure to reduce repeated prompts?

Question 62mediummultiple choice
Read the full Secure identity and access explanation →

You are designing a privileged access strategy for Microsoft Entra ID. Your organization requires that all users who are assigned to the Global Administrator role must perform a privileged elevation only when needed, and the elevation must be approved by a security officer. Which feature should you implement?

Question 63hardmultiple choice
Read the full Secure identity and access explanation →

You are a security engineer for a company that uses Microsoft Entra ID. You need to implement a solution that automatically blocks sign-ins from users detected as compromised credentials. The solution should work in real-time and require no manual intervention. What should you use?

Question 64easymultiple choice
Read the full Secure identity and access explanation →

Your organization uses Microsoft Entra ID to manage identities. You need to ensure that users can reset their own passwords without help desk intervention, but they must register for self-service password reset (SSPR) first. Which configuration is required?

Question 65mediummultiple choice
Read the full Secure identity and access explanation →

You are troubleshooting a sign-in issue. A user reports that they are repeatedly prompted for authentication when accessing a cloud app, even though they already authenticated earlier in the day. You check the Conditional Access policy and see that 'Session control - Sign-in frequency' is set to 1 hour. What is the most likely cause?

Question 66hardmultiple choice
Review the full routing breakdown →

Your organization uses Microsoft Entra ID and requires that all accesses to sensitive applications be approved by the application owner. You need to implement a solution where users can request access to these applications, and the request is automatically routed to the owner for approval. What should you configure?

Question 67easymultiple choice
Read the full Secure identity and access explanation →

You need to grant a user the ability to reset passwords for all users in the finance department. The finance department users are in a specific organizational unit (OU) in on-premises Active Directory, which syncs to Microsoft Entra ID. What is the most secure way to delegate this?

Question 68mediummultiple choice
Read the full Secure identity and access explanation →

Your organization uses Microsoft Entra ID. You need to ensure that users accessing internal applications from unmanaged devices are required to use Microsoft Edge with specific security configurations. Which Conditional Access control should you use?

Question 69hardmultiple choice
Read the full Secure identity and access explanation →

You are implementing a B2B collaboration solution in Microsoft Entra ID. You need to ensure that external users from a partner tenant can access your internal applications, but they must use MFA from their home tenant. The partner tenant does not support MFA. What should you do?

Question 70easymulti select
Read the full Secure identity and access explanation →

Which TWO of the following are valid methods to authenticate users in Microsoft Entra ID?

Question 71mediummulti select
Read the full Secure identity and access explanation →

Which TWO of the following are capabilities of Microsoft Entra ID Protection?

Question 72hardmulti select
Read the full Secure identity and access explanation →

Which THREE of the following are required to configure Microsoft Entra ID self-service password reset (SSPR)?

Question 73mediummultiple choice
Read the full Secure identity and access explanation →

You have configured the Conditional Access policy shown in the exhibit. Users report that they can still access Exchange Online using legacy authentication protocols. What is the most likely reason?

Exhibit

Refer to the exhibit.

{
  "policy": {
    "displayName": "Block legacy authentication",
    "state": "enabledForReportingButNotEnforced",
    "conditions": {
      "clientAppTypes": ["exchangeActiveSync", "otherClients"],
      "applications": {
        "includeApplications": ["Office365"]
      }
    },
    "grantControls": {
      "builtInControls": ["block"]
    }
  }
}
Question 74hardmultiple choice
Read the full Secure identity and access explanation →

You executed the PowerShell script shown in the exhibit. What is the result?

Exhibit

Refer to the exhibit.

$users = Get-AzureADUser -All $true | Where-Object {$_.UserPrincipalName -like "*@contoso.com"}
$users | ForEach-Object {
  $role = Get-AzureADDirectoryRole | Where-Object {$_.DisplayName -eq "Global Administrator"}
  Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $_.ObjectId
}
Question 75mediummultiple choice
Read the full Secure identity and access explanation →

You executed the PowerShell script shown in the exhibit to set a token lifetime policy for an application. What is the effect on users accessing the application?

Exhibit

Refer to the exhibit.

$policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"02:00:00","MaxAgeSessionSingleFactor":"01:00:00"}}') -DisplayName "TwoHourToken" -IsOrganizationDefault $false
Add-AzureADApplicationPolicy -Id $appId -RefObjectId $policy.Id
Question 76mediummultiple choice
Read the full Secure identity and access explanation →

Your company uses Microsoft Entra ID with P2 licenses. You need to implement a policy that automatically revokes access for users who are detected as high risk by Microsoft Entra ID Protection. The policy must allow users to self-remediate by performing MFA. What should you configure?

Question 77hardmultiple choice
Read the full Secure identity and access explanation →

Your organization uses Microsoft Entra ID and plans to deploy Microsoft Copilot for Security. You need to ensure that Copilot's access to security data is governed by the principle of least privilege and that usage is auditable. What should you implement?

Question 78easymultiple choice
Read the full Secure identity and access explanation →

Users report that they are prompted for MFA every time they sign in, even on trusted devices. You need to reduce the frequency of MFA prompts while maintaining security. What should you configure?

Question 79mediummultiple choice
Read the full Secure identity and access explanation →

Refer to the exhibit. You are creating a custom role in Microsoft Entra ID. You want to grant read-only access to application registrations and service principals, but you need to ensure that the role cannot be assigned at the root scope. What change is required?

Exhibit

{
  "roleName": "Custom App Security Reader",
  "description": "Read-only access to app registrations and service principals",
  "assignableScopes": ["/"],
  "permissions": [
    {
      "actions": [
        "microsoft.directory/applications/standard/read",
        "microsoft.directory/servicePrincipals/standard/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ]
}
Question 80hardmultiple choice
Read the full Secure identity and access explanation →

Your company uses Microsoft Entra ID with a third-party identity provider (IdP) for federation. Users report that sometimes they are unable to sign in even though the IdP is healthy. You suspect the issue is related to token signing certificate rotation. What should you do to resolve this proactively?

Question 81easymultiple choice
Read the full Secure identity and access explanation →

You need to ensure that external users who are invited to your Microsoft Entra ID tenant via B2B collaboration can only access a specific SaaS application. What should you configure?

Question 82mediummultiple choice
Read the full Secure identity and access explanation →

Your organization uses Microsoft Entra ID P2 and Microsoft Defender for Cloud Apps. You want to detect and block sign-ins from non-compliant devices to a critical SaaS application. The solution must work for both managed (Microsoft Intune enrolled) and unmanaged devices. What should you use?

Question 83hardmultiple choice
Read the full Secure identity and access explanation →

Your company uses Microsoft Entra ID with a custom domain. You need to implement a solution that allows users to sign in using their social identity providers (e.g., Google, Facebook) but still enforce your organization's MFA policies. What should you configure?

Question 84easymultiple choice
Read the full Secure identity and access explanation →

You need to ensure that when a user's role in Microsoft Entra ID is changed (e.g., from User to Global Administrator), the change is approved by a manager before it takes effect. Additionally, you need to enforce just-in-time (JIT) access for that role. What should you use?

Question 85mediummulti select
Read the full NAT/PAT explanation →

Your organization uses Microsoft Entra ID and wants to implement a secure passwordless authentication strategy. Which TWO solutions can be used natively in Microsoft Entra ID for passwordless sign-in?

Question 86hardmulti select
Read the full Secure identity and access explanation →

You are designing a security baseline for Microsoft Entra ID. Which THREE settings are recommended by Microsoft as part of the identity security baseline?

Question 87easymulti select
Read the full Secure identity and access explanation →

Your company wants to implement a least-privilege model for administrative roles in Microsoft Entra ID. Which TWO features should you use?

Question 88mediummultiple choice
Read the full Secure identity and access explanation →

Refer to the exhibit. A user's sign-in to Azure Portal failed MFA. The risk level is medium due to leaked credentials. Conditional Access was not applied. What is the most likely reason for MFA failure?

Exhibit

{
  "signInLog": {
    "userPrincipalName": "jdoe@contoso.com",
    "appDisplayName": "Azure Portal",
    "ipAddress": "203.0.113.1",
    "riskLevelDuringSignIn": "medium",
    "riskEventTypes": ["leakedCredentials"],
    "authenticationRequirement": "multiFactorAuthentication",
    "mfaResult": "failed",
    "conditionalAccessStatus": "notApplied"
  }
}
Question 89hardmultiple choice
Read the full Secure identity and access explanation →

Refer to the exhibit. You are reviewing a custom Microsoft Entra role for an application developer. A developer reports that they cannot register an application even though they have the 'applications/create' permission. What is the most likely cause?

Exhibit

{
  "roleDefinition": {
    "id": "62e90394-69f5-4237-9190-012177145e10",
    "displayName": "Application Developer",
    "description": "Can create and manage app registrations",
    "allowedResourceActions": [
      "microsoft.directory/applications/create",
      "microsoft.directory/applications/update",
      "microsoft.directory/applications/delete"
    ]
  }
}
Question 90easymultiple choice
Read the full Secure identity and access explanation →

Your organization wants to ensure that users accessing Office 365 from outside the corporate network must use MFA. What is the most efficient way to enforce this?

Question 91mediummultiple choice
Read the full Secure identity and access explanation →

Your organization uses Microsoft Entra ID for identity management. You need to ensure that users accessing sensitive data from unmanaged devices are required to use a compliant device. What should you configure?

Question 92hardmultiple choice
Read the full Secure identity and access explanation →

Your company is migrating from on-premises Active Directory to Microsoft Entra ID. You need to synchronize user accounts and enable self-service password reset (SSPR) for cloud users. You have set up Microsoft Entra Connect Sync. Which additional configuration is required to allow password writeback for SSPR?

Question 93easymultiple choice
Read the full Secure identity and access explanation →

Your organization has Microsoft Entra ID P2 licenses. You want to automatically detect and respond to compromised identities by requiring MFA when a sign-in risk is medium or above. Which policy should you configure?

Question 94mediummultiple choice
Read the full Secure identity and access explanation →

Your organization uses Microsoft Entra ID. You need to manage access to a line-of-business application that supports SAML 2.0. The application should be integrated as an enterprise application in Entra ID. What steps must you take?

Question 95hardmultiple choice
Study the full multicast explanation →

Your company has Microsoft Entra ID and uses Azure Bastion for secure VM access. You need to ensure that only administrators with PIM-activated roles can access the Bastion host. What should you configure?

Question 96easymultiple choice
Read the full Secure identity and access explanation →

Your organization uses Microsoft Entra ID and needs to implement a policy that blocks all sign-ins from countries that are not approved. What should you configure?

Question 97mediummultiple choice
Read the full NAT/PAT explanation →

You are designing a privileged identity management strategy for Microsoft Entra ID. You need to ensure that eligible role assignments require approval from a designated group before activation. What configuration is required?

Question 98hardmultiple choice
Read the full Secure identity and access explanation →

Your organization has Microsoft Entra ID and uses Microsoft Copilot for Microsoft 365. You need to ensure that Copilot interactions are logged and accessible for security investigations. What should you configure?

Question 99easymultiple choice
Read the full Secure identity and access explanation →

You need to grant a group of users the ability to read Microsoft Entra ID sign-in logs in the Azure portal. Which role should you assign?

Question 100mediummulti select
Read the full Secure identity and access explanation →

Which TWO actions should you take to implement a zero-trust identity model using Microsoft Entra ID? (Choose two.)

Question 101hardmulti select
Read the full Secure identity and access explanation →

Which THREE components are part of Microsoft Entra Conditional Access? (Choose three.)

Question 102mediummulti select
Read the full Secure identity and access explanation →

Which TWO methods can be used to protect privileged accounts in Microsoft Entra ID? (Choose two.)

Question 103hardmultiple choice
Study the full multicast explanation →

You are the security engineer for Contoso, a multinational company with 50,000 users in Microsoft Entra ID Premium P2. The company has a strict security policy requiring that all administrative actions be performed using just-in-time (JIT) access with approval, and that all privileged role activations be audited. Additionally, you need to ensure that Global Administrators are required to use phishing-resistant MFA (e.g., FIDO2 security keys) when activating their role. You have already configured Privileged Identity Management (PIM) for Azure AD roles. However, during a recent audit, you discovered that several Global Administrators were able to activate their role using only a text message (SMS) for MFA, violating the policy. You need to enforce the use of phishing-resistant MFA for all privileged role activations. What should you do?

Question 104mediummultiple choice
Read the full Secure identity and access explanation →

Your organization, Fabrikam, uses Microsoft Entra ID and has recently deployed Microsoft Copilot for Azure to assist administrators with troubleshooting. You need to ensure that access to Copilot for Azure is restricted to a specific group of security administrators and that all interactions are logged for compliance. You have created a security group named 'Copilot-Admins' and assigned it the appropriate role. However, you notice that users outside this group can still access Copilot for Azure. Additionally, you need to ensure that all Copilot interactions are stored in a Log Analytics workspace for analysis. What should you do?

Question 105mediummultiple choice
Read the full Secure identity and access explanation →

You are the security administrator for a company that uses Microsoft Entra ID. You need to configure a Conditional Access policy that applies to all users except the emergency break-glass accounts. The policy must require multi-factor authentication (MFA) when accessing the Azure portal from a location that is not trusted. What should you include in the policy?

Question 106hardmultiple choice
Study the full multicast explanation →

A company is implementing Privileged Identity Management (PIM) in Microsoft Entra ID for Azure resources. The security team wants to ensure that all privileged role activations require approval and are logged. They also want to require Azure MFA during activation. However, they notice that some users are able to activate roles without approval. What is the most likely cause?

Question 107easymultiple choice
Read the full Secure identity and access explanation →

Your organization uses Microsoft Entra ID and has deployed Microsoft Defender for Cloud Apps. You need to monitor and control access to cloud applications based on user behavior and device health. Which feature should you use?

Question 108hardmultiple choice
Read the full Secure identity and access explanation →

You are managing a Microsoft Entra ID tenant with external collaboration enabled. You need to restrict external user access to only the groups and applications they are explicitly granted. You also want to prevent external users from seeing other external users in the tenant directory. Which settings should you configure?

Question 109mediummultiple choice
Read the full Secure identity and access explanation →

Your company uses Microsoft Intune for mobile device management. You need to ensure that only devices that are compliant with company policies can access corporate resources. You have configured compliance policies in Intune. What additional step is required to enforce access control based on device compliance?

Question 110easymultiple choice
Read the full Secure identity and access explanation →

You are a security administrator for a financial institution. You need to implement a solution that allows users to authenticate using biometrics and prevents password-based attacks. Which Microsoft Entra ID feature should you enable?

Question 111mediummulti select
Read the full Secure identity and access explanation →

Which THREE of the following are valid methods to secure service principals in Microsoft Entra ID?

Question 112hardmulti select
Study the full multicast explanation →

Which TWO of the following are required to implement a successful Just-In-Time (JIT) access strategy using Microsoft Entra Privileged Identity Management (PIM) for Azure resources?

Question 113easymulti select
Read the full Secure identity and access explanation →

Which THREE of the following are recommended practices for securing administrative accounts in Microsoft Entra ID?

Question 114mediummultiple choice
Read the full Secure identity and access explanation →

Refer to the exhibit. You are reviewing the external collaboration settings for your Microsoft Entra ID tenant. Based on the exhibit, which of the following statements is true about the current configuration?

Exhibit

{
  "policy": {
    "tenantId": "contoso.onmicrosoft.com",
    "displayName": "External Collaboration Policy",
    "description": "Controls external user invitations and access",
    "settings": {
      "allowEmailVerifiedUsersToJoinOrganization": false,
      "allowInvitationsFrom": "adminsAndGuestInviters",
      "enableB2BEmailOneTimePasscode": true,
      "enableB2BDirectConnect": false
    }
  }
}
Question 115hardmultiple choice
Read the full NAT/PAT explanation →

You are the security architect for a large enterprise that uses Microsoft Entra ID with 50,000 users. The company recently adopted a cloud-first strategy and is migrating on-premises applications to Azure. You need to design a secure identity and access solution that meets the following requirements:

- All access to cloud applications must be authenticated using modern authentication protocols. - Legacy authentication protocols (such as POP3, IMAP4, SMTP, and basic authentication) must be blocked. - Users must be required to use multi-factor authentication (MFA) when accessing any application from outside the corporate network. - Administrative access to Azure resources must be time-bound and require approval. - The solution must minimize user friction for internal users on the corporate network. - All sign-in risks must be detected and automatically remediated.

You have deployed Microsoft Entra ID P2 licensing and configured Microsoft Defender for Cloud Apps. Which of the following is the most appropriate combination of actions to meet all requirements?

Question 116mediummultiple choice
Read the full Secure identity and access explanation →

You are a security administrator for a healthcare organization that uses Microsoft Entra ID and Microsoft 365. The organization must comply with HIPAA regulations, which require that access to protected health information (PHI) is logged and monitored. You need to configure access reviews for all users who have access to SharePoint Online sites containing PHI. The reviews must occur quarterly and be assigned to the respective site owners. Additionally, you need to ensure that inactive guest accounts are automatically removed after 90 days of inactivity. Which actions should you take?

Question 117easymultiple choice
Read the full NAT/PAT explanation →

You are the identity security engineer for a multinational company that uses Microsoft Entra ID. The company has recently experienced a security breach where an attacker compromised a non-administrator user account and then used that account to enumerate all users in the tenant. The attacker then attempted to brute-force passwords for high-privilege accounts. To prevent such attacks, management requires the following:

- Users with administrative roles must use phishing-resistant MFA. - Any sign-in from a risky IP address must be blocked. - Users must not be able to enumerate directory information via the Graph API unless they have a specific role. - The solution should be implemented using built-in Microsoft Entra ID features.

What should you configure?

Question 118hardmultiple choice
Read the full Secure identity and access explanation →

You work for a software development company that uses GitHub Enterprise and Microsoft Entra ID for identity management. Developers need to access Azure resources from their CI/CD pipelines. You need to configure secure authentication for these service principals used in pipelines. The requirements are:

- No client secrets should be used because they can be leaked. - The authentication method must be automatically rotated. - The service principal must have access only to a specific resource group. - You need to monitor and alert if the service principal is used outside of the expected geographic region.

Which of the following is the most appropriate solution?

Question 119mediummultiple choice
Read the full Secure identity and access explanation →

You are the security administrator for a company that is integrating a third-party SaaS application (AppA) with Microsoft Entra ID for single sign-on (SSO). The application requires the following permissions: read all users, read all groups, and sign in users. The security team is concerned about over-privileged applications. They require that:

- The application must not be able to read users or groups without an admin's explicit consent. - Users should be able to sign in to the application without admin consent for basic profile access. - Admin consent must be granted only for the minimal permissions required. - You must be able to review and audit all permissions granted to applications.

What should you do?

Question 120easymultiple choice
Read the full Secure identity and access explanation →

An organization requires that all Azure SQL Database connections from non-corporate networks must be blocked unless initiated through Azure Bastion. Which Microsoft Entra ID Conditional Access policy setting should be configured?

Question 121mediummulti select
Read the full Secure identity and access explanation →

A company plans to implement a Zero Trust identity strategy using Microsoft Entra ID. Which TWO actions should be taken to enforce least-privilege access for administrative roles?

Question 122hardmultiple choice
Read the full Secure identity and access explanation →

A company uses Microsoft Entra ID and has an application registered that exposes scopes. An external partner organization needs to authenticate and access a specific scope. The partner's tenant is not federated. What is the most secure way to provide access without creating user accounts?

Question 123mediummultiple choice
Read the full Secure identity and access explanation →

Refer to the exhibit. A custom role definition is created with the JSON above. A user assigned this role in the Prod resource group attempts to restart a VM but receives an authorization error. What is the most likely cause?

Exhibit

{
  "roleName": "Custom VM Operator",
  "assignableScopes": ["/subscriptions/12345-abcde-.../resourceGroups/Prod"],
  "permissions": [{
    "actions": [
      "Microsoft.Compute/virtualMachines/start/action",
      "Microsoft.Compute/virtualMachines/restart/action"
    ],
    "notActions": []
  }]
}
Question 124hardmultiple choice
Read the full Secure identity and access explanation →

A company uses Microsoft Entra ID and has a custom application that authenticates via OAuth 2.0 device authorization grant. The app recently started receiving 'access_denied' errors for some users. The errors occur only for users who have Conditional Access policies applied. What change should be made to fix the issue while maintaining security?

Question 125easymultiple choice
Read the full Secure identity and access explanation →

You need to ensure that only approved iOS devices can access corporate email. Which Microsoft Intune policy should you configure?

Question 126mediummultiple choice
Read the full Secure identity and access explanation →

Your organization uses Microsoft Entra ID for identity management. You need to implement a solution that automatically detects and remediates identity risks such as leaked credentials and impossible travel. The solution must use built-in Microsoft Entra capabilities without additional licensing beyond Microsoft Entra ID P2. What should you configure?

Question 127hardmultiple choice
Read the full Secure identity and access explanation →

Your company uses Microsoft Entra ID with hybrid identity. You have a custom line-of-business application that uses SAML 2.0 for authentication. The application is registered in Microsoft Entra ID as an enterprise application. Users report that they are prompted for credentials twice when accessing the app from a domain-joined Windows 10 device. You need to prevent the second prompt. What should you do?

Question 128mediummulti select
Read the full Secure identity and access explanation →

Your company uses Microsoft Entra ID (P2 licensed) and requires that all user logins from untrusted networks be blocked unless the user's device is marked as compliant by Microsoft Intune. You need to implement this requirement. Which TWO components should you use together to achieve this? (Choose two.)

Question 129easymultiple choice
Read the full Secure identity and access explanation →

Refer to the exhibit. You are reviewing a Conditional Access policy JSON definition. What is the MOST likely result of this policy?

Exhibit

Refer to the exhibit.

{
  "name": "Block external identities from accessing corporate apps",
  "conditions": {
    "applications": { "includeApplications": ["Office365"] },
    "users": { "includeUsers": ["All"], "excludeUsers": ["admin@contoso.com"] },
    "clientAppTypes": ["browser", "mobileAppsAndDesktopClients"],
    "signInRiskLevels": [],
    "locations": { "includeLocations": ["AllTrusted"] }
  },
  "grantControls": {
    "builtInControls": ["block"]
  }
}
Question 130hardmultiple choice
Read the full Secure identity and access explanation →

You are a security architect for Contoso, a global financial services company with 10,000 employees. Contoso uses Microsoft Entra ID (P2 licensed), Microsoft Intune, and Microsoft Defender for Cloud Apps. All corporate devices are enrolled in Intune and marked as compliant. The company is adopting Microsoft Copilot for Microsoft 365 to boost productivity. The security team requires that access to Copilot for Microsoft 365 be restricted to users who have completed the required training (confirmed by HR system). Additionally, any access to Copilot from unmanaged devices must be blocked. You need to design an access control solution that meets these requirements with minimal administrative overhead and without custom code. Which action should you take?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

AZ-500 Practice Test 1 — 10 Questions→AZ-500 Practice Test 2 — 10 Questions→AZ-500 Practice Test 3 — 10 Questions→AZ-500 Practice Test 4 — 10 Questions→AZ-500 Practice Test 5 — 10 Questions→AZ-500 Practice Exam 1 — 20 Questions→AZ-500 Practice Exam 2 — 20 Questions→AZ-500 Practice Exam 3 — 20 Questions→AZ-500 Practice Exam 4 — 20 Questions→Free AZ-500 Practice Test 1 — 30 Questions→Free AZ-500 Practice Test 2 — 30 Questions→Free AZ-500 Practice Test 3 — 30 Questions→AZ-500 Practice Questions 1 — 50 Questions→AZ-500 Practice Questions 2 — 50 Questions→AZ-500 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Secure identity and accessSecure compute, storage, and databasesSecure Azure using Microsoft Defender for Cloud and Microsoft SentinelManage identity and accessSecure networking

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Secure identity and access setsAll Secure identity and access questionsAZ-500 Practice Hub