20+ practice questions focused on Manage identity and access — one of the most tested topics on the Microsoft Azure Security Engineer Associate AZ-500 exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Manage identity and access PracticeA company uses Azure AD Identity Protection. They want to automatically block sign-ins that have a high user risk level, but only for users in the 'Finance' department. They also want to require MFA for medium user risk level for all users (including Finance) when sign-in risk is not blocked. They have already created a Conditional Access policy for the Finance department that has a condition of 'User risk level: High' and a grant control of 'Block access'. What additional configuration is needed to also require MFA for all users with medium user risk?
Explanation: Option A is correct because Azure AD Conditional Access policies are evaluated independently, and a separate policy is needed to require MFA for medium user risk across all users. The existing policy blocks high-risk sign-ins for Finance only, but does not address medium risk for any user. Creating a second policy targeting all users with 'User risk level: Medium' and grant control 'Require multi-factor authentication' satisfies the requirement without conflicting with the existing block policy, as Conditional Access policies are combined (unless explicitly excluded).
A company uses Azure AD Privileged Identity Management (PIM) to manage access to Azure AD roles. They want to require that users who activate the Global Administrator role must get approval from their manager before activation, and that the approval must be time-bound (maximum 8 hours). Which two PIM configurations should they set?
Explanation: Option A is correct because setting the activation maximum duration to 8 hours enforces the time-bound requirement, ensuring that once a user activates the Global Administrator role, the activation automatically expires after 8 hours. Option B is correct because enabling the approval workflow and adding the manager as an approver ensures that the manager must approve each activation request, meeting the requirement for manager approval. Together, these two configurations satisfy both the time-bound and approval constraints.
A company uses Azure AD Privileged Identity Management (PIM) to manage the Global Administrator role. They want to require that when a user activates the role, they must be using a device that is compliant with Intune policies (e.g., compliant device) and must provide a justification. The company already has Conditional Access policies in place for regular access. How should they enforce the device compliance requirement specifically during PIM activation?
Explanation: Option C is correct because Azure AD PIM can integrate with Conditional Access via authentication context. By enabling 'Require Azure AD Conditional Access authentication context' in the PIM role settings and then creating a Conditional Access policy that targets that authentication context with the 'Require compliant device' grant control, you enforce device compliance specifically during role activation. This approach ensures the device compliance check is applied only when the user activates the Global Administrator role, not during regular access.
A company uses Azure AD Privileged Identity Management (PIM) for the Global Administrator role. They have configured the role activation to require approval from a specific security group. When a user attempts to activate the role, they are immediately approved without any approval request being sent. The user is a member of the same security group that is configured as the approver. What is the most likely cause?
Explanation: Option B is correct because when a user is a member of the approver security group in Azure AD PIM, they can approve their own activation request. PIM does not prevent self-approval by default; the approval workflow sends the request to all members of the approver group, and if the requesting user is also a member, they can approve it themselves, resulting in immediate activation without any external approval.
A company has a partner organization in another Azure AD tenant. They want to allow users from the partner tenant to access their Azure resources through Azure AD B2B collaboration. They also want the partner's Multi-Factor Authentication (MFA) claims to be trusted when partner users access their resources, so that they do not need to perform MFA again. Which configuration in cross-tenant access settings should they enable?
Explanation: Option A is correct because cross-tenant access settings in Azure AD allow you to configure inbound trust for MFA from an external Azure AD tenant. When enabled, Azure AD B2B collaboration will accept the partner tenant's MFA claims, so partner users who have already satisfied MFA in their home tenant will not be prompted again when accessing your resources. This is configured under 'Cross-tenant access settings' > 'Inbound trust settings' for the specific partner tenant.
+15 more Manage identity and access questions available
Practice all Manage identity and access questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Manage identity and access. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Manage identity and access questions on the AZ-500 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Manage identity and access is tested as part of the Microsoft Azure Security Engineer Associate AZ-500 blueprint. Practicing with targeted Manage identity and access questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free AZ-500 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Manage identity and access is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Manage identity and access practice session with instant scoring and detailed explanations.
Start Manage identity and access Practice →